diff --git a/framework/codemodder-base/src/main/java/io/codemodder/CLI.java b/framework/codemodder-base/src/main/java/io/codemodder/CLI.java index c5b6bf5f5..2811e794a 100644 --- a/framework/codemodder-base/src/main/java/io/codemodder/CLI.java +++ b/framework/codemodder-base/src/main/java/io/codemodder/CLI.java @@ -366,14 +366,14 @@ public Integer call() throws IOException { log.debug("excluding paths: {}", pathExcludes); // get all files that match - log.debug("Listing source directories"); + log.trace("Listing source directories"); List sourceDirectories = sourceDirectoryLister.listJavaSourceDirectories(List.of(projectDirectory)); - log.debug("Listing files"); + log.trace("Listing files"); List filePaths = fileFinder.findFiles(projectPath, includesExcludes); - log.debug("Creating codemod regulator"); + log.trace("Creating codemod regulator"); // get codemod includes/excludes final CodemodRegulator regulator; diff --git a/framework/codemodder-base/src/main/java/io/codemodder/DefaultSarifParser.java b/framework/codemodder-base/src/main/java/io/codemodder/DefaultSarifParser.java index bf2debe5c..2785ca3dc 100644 --- a/framework/codemodder-base/src/main/java/io/codemodder/DefaultSarifParser.java +++ b/framework/codemodder-base/src/main/java/io/codemodder/DefaultSarifParser.java @@ -46,7 +46,7 @@ private Optional> tryToBuild( } } - log.info("Found SARIF from unsupported tool: {}", toolName); + log.info("Found SARIF rule entries from unsupported tool: {}", toolName); return Optional.empty(); } diff --git a/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLModule.java b/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLModule.java index c11f51aa4..44e2b8fc4 100644 --- a/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLModule.java +++ b/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLModule.java @@ -4,12 +4,10 @@ import io.codemodder.CodeChanger; import io.codemodder.RuleSarif; import java.lang.reflect.Constructor; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import java.util.Optional; -import java.util.stream.Collectors; +import java.util.*; import java.util.stream.Stream; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** Responsible for distributing the SARIFS to CodeQL based codemods based on rules. */ public final class CodeQLModule extends AbstractModule { @@ -27,9 +25,16 @@ public final class CodeQLModule extends AbstractModule { protected void configure() { // What if there are multiple sarif files with a given rule? // We can safely ignore this case for now. - final Map map = - allCodeqlRuleSarifs.stream() - .collect(Collectors.toUnmodifiableMap(RuleSarif::getRule, rs -> rs)); + final Map map = new HashMap<>(); + allCodeqlRuleSarifs.forEach( + rs -> { + if (!map.containsKey(rs.getRule())) { + map.put(rs.getRule(), rs); + } else { + log.warn( + "Multiple SARIFs found for rule: {}, ignoring results after first", rs.getRule()); + } + }); for (final Class codemodType : codemodTypes) { final Constructor[] constructors = codemodType.getDeclaredConstructors(); @@ -49,4 +54,6 @@ protected void configure() { .toInstance(map.getOrDefault(providedCodeQLScan.ruleId(), RuleSarif.EMPTY))); } } + + private static final Logger log = LoggerFactory.getLogger(CodeQLModule.class); } diff --git a/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLRuleSarif.java b/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLRuleSarif.java index a78734538..423e1fbca 100644 --- a/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLRuleSarif.java +++ b/plugins/codemodder-plugin-codeql/src/main/java/io/codemodder/providers/sarif/codeql/CodeQLRuleSarif.java @@ -1,16 +1,12 @@ package io.codemodder.providers.sarif.codeql; -import com.contrastsecurity.sarif.Region; -import com.contrastsecurity.sarif.Result; -import com.contrastsecurity.sarif.Run; -import com.contrastsecurity.sarif.SarifSchema210; +import com.contrastsecurity.sarif.*; import io.codemodder.CodeDirectory; import io.codemodder.RuleSarif; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; import java.util.*; -import java.util.stream.Collectors; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,12 +35,8 @@ private String extractRuleId(final Result result, final Run run) { .skip(toolIndex) .findFirst() .flatMap(tool -> tool.getRules().stream().skip(ruleIndex).findFirst()) - .map(rd -> rd.getId()); - if (maybeRule.isPresent()) { - return maybeRule.get(); - } else { - return null; - } + .map(ReportingDescriptor::getId); + return maybeRule.orElse(null); } return result.getRuleId(); } @@ -53,7 +45,7 @@ private String extractRuleId(final Result result, final Run run) { public List getRegionsFromResultsByRule(final Path path) { return getResultsByLocationPath(path).stream() .map(result -> result.getLocations().get(0).getPhysicalLocation().getRegion()) - .collect(Collectors.toUnmodifiableList()); + .toList(); } @Override diff --git a/plugins/codemodder-plugin-codeql/src/test/java/io/codemodder/providers/sarif/codeql/ConflictingSarifTest.java b/plugins/codemodder-plugin-codeql/src/test/java/io/codemodder/providers/sarif/codeql/ConflictingSarifTest.java new file mode 100644 index 000000000..0eac2d336 --- /dev/null +++ b/plugins/codemodder-plugin-codeql/src/test/java/io/codemodder/providers/sarif/codeql/ConflictingSarifTest.java @@ -0,0 +1,44 @@ +package io.codemodder.providers.sarif.codeql; + +import io.codemodder.*; +import java.nio.file.Path; +import java.util.List; +import java.util.Map; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.io.TempDir; + +final class ConflictingSarifTest { + + /** + * Test that conflicting SARIFs can be combined, and will fail gracefully, only honoring the first + * set of results found. + */ + @Test + void it_combines_sarifs_with_overlapping_keys(@TempDir Path tempDir) { + List sarifFiles = + List.of( + Path.of("src/test/resources/conflicting-sarifs/codeql-0.sarif"), + Path.of("src/test/resources/conflicting-sarifs/codeql-1.sarif"), + Path.of("src/test/resources/conflicting-sarifs/codeql-2.sarif"), + Path.of("src/test/resources/conflicting-sarifs/codeql-3.sarif"), + Path.of("src/test/resources/conflicting-sarifs/codeql-4.sarif"), + Path.of("src/test/resources/conflicting-sarifs/codeql-5.sarif")); + + Map> pathSarifMap = + SarifParser.create().parseIntoMap(sarifFiles, CodeDirectory.from(tempDir)); + + new CodemodLoader( + List.of(), + CodemodRegulator.of(DefaultRuleSetting.ENABLED, List.of()), + tempDir, + List.of(), + List.of(), + List.of(), + pathSarifMap, + List.of(), + List.of(), + List.of(), + null, + null); + } +} diff --git a/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-0.sarif b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-0.sarif new file mode 100644 index 000000000..3879d8f42 --- /dev/null +++ b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-0.sarif @@ -0,0 +1,51061 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "semanticVersion": "2.19.3" + }, + "extensions": [ + { + "name": "codeql/java-queries", + "semanticVersion": "1.1.8+39a67b6e2e6490a9bd010db50e148f647765e9f7", + "rules": [ + { + "id": "java/android/debuggable-attribute-enabled", + "name": "java/android/debuggable-attribute-enabled", + "shortDescription": { + "text": "Android debuggable attribute enabled" + }, + "fullDescription": { + "text": "An enabled debugger can allow for entry points in the application or reveal sensitive information." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n", + "markdown": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-489", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql", + "precision": "very-high", + "security-severity": "7.2" + } + }, + { + "id": "java/android/fragment-injection", + "name": "java/android/fragment-injection", + "shortDescription": { + "text": "Android fragment injection" + }, + "fullDescription": { + "text": "Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n", + "markdown": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-470", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/android/fragment-injection-preference-activity", + "name": "java/android/fragment-injection-preference-activity", + "shortDescription": { + "text": "Android fragment injection in PreferenceActivity" + }, + "fullDescription": { + "text": "An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n", + "markdown": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-470", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/android/implicit-pendingintents", + "name": "java/android/implicit-pendingintents", + "shortDescription": { + "text": "Use of implicit PendingIntents" + }, + "fullDescription": { + "text": "Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n", + "markdown": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-927", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/android/implicitly-exported-component", + "name": "java/android/implicitly-exported-component", + "shortDescription": { + "text": "Implicitly exported Android component" + }, + "fullDescription": { + "text": "Android components with an '' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n \n \n \n \n \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n android:exported=\"false\"\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n", + "markdown": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n \n \n \n \n \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n android:exported=\"false\"\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-926", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/android/insecure-local-authentication", + "name": "java/android/insecure-local-authentication", + "shortDescription": { + "text": "Insecure local authentication" + }, + "fullDescription": { + "text": "Local authentication that does not make use of a `CryptoObject` can be bypassed." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback {\n @Override\n // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n grantAccess()\n }\n }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n \"MySecretKey\",\n KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n .setUserAuthenticationRequired(true)\n .setInvalidatedByBiometricEnrollment(true)\n .build();\n KeyGenerator keyGenerator = KeyGenerator.getInstance(\n KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n keyGenerator.init(keyGenParameterSpec);\n keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n keyStore.load(null);\n return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n + KeyProperties.BLOCK_MODE_CBC + \"/\"\n + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n Cipher cipher = getCipher();\n SecretKey secretKey = getSecretKey();\n cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n biometricPrompt.authenticate(\n new BiometricPrompt.CryptoObject(cipher),\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback() {\n @Override\n // GOOD: This authentication callback uses the result to decrypt some data.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n Cipher cipher = result.getCryptoObject().getCipher();\n byte[] decryptedData = cipher.doFinal(encryptedData);\n grantAccessWithData(decryptedData);\n }\n }\n );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n", + "markdown": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback {\n @Override\n // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n grantAccess()\n }\n }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n \"MySecretKey\",\n KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n .setUserAuthenticationRequired(true)\n .setInvalidatedByBiometricEnrollment(true)\n .build();\n KeyGenerator keyGenerator = KeyGenerator.getInstance(\n KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n keyGenerator.init(keyGenParameterSpec);\n keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n keyStore.load(null);\n return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n + KeyProperties.BLOCK_MODE_CBC + \"/\"\n + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n Cipher cipher = getCipher();\n SecretKey secretKey = getSecretKey();\n cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n biometricPrompt.authenticate(\n new BiometricPrompt.CryptoObject(cipher),\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback() {\n @Override\n // GOOD: This authentication callback uses the result to decrypt some data.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n Cipher cipher = result.getCryptoObject().getCipher();\n byte[] decryptedData = cipher.doFinal(encryptedData);\n grantAccessWithData(decryptedData);\n }\n }\n );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-287", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql", + "precision": "high", + "security-severity": "4.4" + } + }, + { + "id": "java/android/intent-redirection", + "name": "java/android/intent-redirection", + "shortDescription": { + "text": "Android Intent redirection" + }, + "fullDescription": { + "text": "Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n destinationComponent.getClassName().equals(\"SafeClass\")) {\n startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n", + "markdown": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n destinationComponent.getClassName().equals(\"SafeClass\")) {\n startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-926", + "external/cwe/cwe-940", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/android/intent-uri-permission-manipulation", + "name": "java/android/intent-uri-permission-manipulation", + "shortDescription": { + "text": "Intent URI permission manipulation" + }, + "fullDescription": { + "text": "Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n // BAD: the user-provided Intent is returned as-is\n public void dangerous() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: a new Intent is created and returned\n public void safe() {\n Intent intent = new Intent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: the user-provided Intent is sanitized before being returned\n public void sanitized() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n intent.removeFlags(\n Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n setResult(intent);\n }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n", + "markdown": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n // BAD: the user-provided Intent is returned as-is\n public void dangerous() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: a new Intent is created and returned\n public void safe() {\n Intent intent = new Intent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: the user-provided Intent is sanitized before being returned\n public void sanitized() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n intent.removeFlags(\n Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n setResult(intent);\n }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-266", + "external/cwe/cwe-926", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/android/unsafe-content-uri-resolution", + "name": "java/android/unsafe-content-uri-resolution", + "shortDescription": { + "text": "Uncontrolled data used in content resolution" + }, + "fullDescription": { + "text": "Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n public void onCreate() {\n // BAD: Externally-provided URI directly used in content resolution\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n if (path.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // GOOD: URI is properly validated to block access to internal files\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n java.nio.file.Path normalized =\n java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n if (normalized.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n }\n\n private void copyToExternalCache(InputStream is) {\n // Reads the contents of is and writes a file in the app's external\n // cache directory, which can be read publicly by applications in the same device.\n }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n", + "markdown": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n public void onCreate() {\n // BAD: Externally-provided URI directly used in content resolution\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n if (path.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // GOOD: URI is properly validated to block access to internal files\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n java.nio.file.Path normalized =\n java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n if (normalized.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n }\n\n private void copyToExternalCache(InputStream is) {\n // Reads the contents of is and writes a file in the app's external\n // cache directory, which can be read publicly by applications in the same device.\n }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-441", + "external/cwe/cwe-610", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/android/webview-debugging-enabled", + "name": "java/android/webview-debugging-enabled", + "shortDescription": { + "text": "Android Webview debugging enabled" + }, + "fullDescription": { + "text": "Enabling Webview debugging in production builds can expose entry points or leak sensitive information." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n", + "markdown": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-489", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql", + "precision": "high", + "security-severity": "7.2" + } + }, + { + "id": "java/cleartext-storage-in-cookie", + "name": "java/cleartext-storage-in-cookie", + "shortDescription": { + "text": "Cleartext storage of sensitive information in cookie" + }, + "fullDescription": { + "text": "Storing sensitive information in cleartext can expose it to an attacker." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n", + "markdown": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-315", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/command-line-injection", + "name": "java/command-line-injection", + "shortDescription": { + "text": "Uncontrolled command line" + }, + "fullDescription": { + "text": "Using externally controlled strings in a command line is vulnerable to malicious changes in the strings." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n String script = System.getenv(\"SCRIPTNAME\");\n if (script != null) {\n // BAD: The script to be executed is controlled by the user.\n Runtime.getRuntime().exec(script);\n }\n }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n String script = System.getenv(\"SCRIPTNAME\");\n if (script != null) {\n // BAD: The script to be executed is controlled by the user.\n Runtime.getRuntime().exec(script);\n }\n }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-078", + "external/cwe/cwe-088", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/concatenated-command-line", + "name": "java/concatenated-command-line", + "shortDescription": { + "text": "Building a command line with string concatenation" + }, + "fullDescription": { + "text": "Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n // BAD: user input might include special characters such as ampersands\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n }\n\n // GOOD: use an array of arguments instead of executing a string\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(new String[] {\n \"c:\\\\path\\to\\latlon2utm.exe\",\n latlonCoords });\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n // BAD: user input might include special characters such as ampersands\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n }\n\n // GOOD: use an array of arguments instead of executing a string\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(new String[] {\n \"c:\\\\path\\to\\latlon2utm.exe\",\n latlonCoords });\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-078", + "external/cwe/cwe-088", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/error-message-exposure", + "name": "java/error-message-exposure", + "shortDescription": { + "text": "Information exposure through an error message" + }, + "fullDescription": { + "text": "Information from an error message propagates to an external user. Error messages can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n", + "markdown": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-209", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql", + "precision": "high", + "security-severity": "5.4" + } + }, + { + "id": "java/groovy-injection", + "name": "java/groovy-injection", + "shortDescription": { + "text": "Groovy Language injection" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled Groovy script may lead to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n void injectionViaClassLoader(HttpServletRequest request) { \n String script = request.getParameter(\"script\");\n final GroovyClassLoader classLoader = new GroovyClassLoader();\n Class groovy = classLoader.parseClass(script);\n GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n }\n\n void injectionViaEval(HttpServletRequest request) {\n String script = request.getParameter(\"script\");\n Eval.me(script);\n }\n\n void injectionViaGroovyShell(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n shell.evaluate(script);\n }\n\n void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n shell.evaluate(gcs);\n }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n public SandboxGroovyClassLoader(ClassLoader parent) {\n super(parent);\n }\n\n /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc. */\n /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n static void runWithSandboxGroovyClassLoader() throws Exception {\n // GOOD: route all class-loading via sand-boxing classloader.\n SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n \n Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n Object scriptInstance = scriptClass.newInstance();\n Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n void injectionViaClassLoader(HttpServletRequest request) { \n String script = request.getParameter(\"script\");\n final GroovyClassLoader classLoader = new GroovyClassLoader();\n Class groovy = classLoader.parseClass(script);\n GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n }\n\n void injectionViaEval(HttpServletRequest request) {\n String script = request.getParameter(\"script\");\n Eval.me(script);\n }\n\n void injectionViaGroovyShell(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n shell.evaluate(script);\n }\n\n void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n shell.evaluate(gcs);\n }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n public SandboxGroovyClassLoader(ClassLoader parent) {\n super(parent);\n }\n\n /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc. */\n /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n static void runWithSandboxGroovyClassLoader() throws Exception {\n // GOOD: route all class-loading via sand-boxing classloader.\n SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n \n Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n Object scriptInstance = scriptClass.newInstance();\n Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/http-response-splitting", + "name": "java/http-response-splitting", + "shortDescription": { + "text": "HTTP response splitting" + }, + "fullDescription": { + "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n", + "markdown": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-113", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/implicit-cast-in-compound-assignment", + "name": "java/implicit-cast-in-compound-assignment", + "shortDescription": { + "text": "Implicit narrowing conversion in compound assignment" + }, + "fullDescription": { + "text": "Compound assignment statements (for example 'intvar += longvar') that implicitly cast a value of a wider type to a narrower type may result in information loss and numeric errors such as overflows." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n", + "markdown": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-190", + "external/cwe/cwe-192", + "external/cwe/cwe-197", + "external/cwe/cwe-681", + "reliability", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Likely%20Bugs/Arithmetic/InformationLoss.ql", + "precision": "very-high", + "security-severity": "8.1" + } + }, + { + "id": "java/improper-intent-verification", + "name": "java/improper-intent-verification", + "shortDescription": { + "text": "Improper verification of intent by broadcast receiver" + }, + "fullDescription": { + "text": "A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n```xml\n\n \n \n \n \n \n \n \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n return;\n }\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n", + "markdown": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n```xml\n\n \n \n \n \n \n \n \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n return;\n }\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-925", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/improper-webview-certificate-validation", + "name": "java/improper-webview-certificate-validation", + "shortDescription": { + "text": "Android `WebView` that accepts all certificates" + }, + "fullDescription": { + "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n // BAD: All certificates are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n handler.proceed(); \n }\n}\n\nclass Good extends WebViewClient {\n PublicKey myPubKey = ...;\n\n // GOOD: Only certificates signed by a certain public key are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n try {\n X509Certificate cert = error.getCertificate().getX509Certificate();\n cert.verify(this.myPubKey);\n handler.proceed();\n }\n catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n handler.cancel();\n }\n } \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n", + "markdown": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n // BAD: All certificates are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n handler.proceed(); \n }\n}\n\nclass Good extends WebViewClient {\n PublicKey myPubKey = ...;\n\n // GOOD: Only certificates signed by a certain public key are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n try {\n X509Certificate cert = error.getCertificate().getX509Certificate();\n cert.verify(this.myPubKey);\n handler.proceed();\n }\n catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n handler.cancel();\n }\n } \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-295", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/insecure-bean-validation", + "name": "java/insecure-bean-validation", + "shortDescription": { + "text": "Insecure Bean Validation" + }, + "fullDescription": { + "text": "User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n .configure()\n .messageInterpolator(new ParameterMessageInterpolator())\n .buildValidatorFactory()\n .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n public static class InterpolationHelper {\n\n public static final char BEGIN_TERM = '{';\n public static final char END_TERM = '}';\n public static final char EL_DESIGNATOR = '$';\n public static final char ESCAPE_CHARACTER = '\\\\';\n\n private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n private InterpolationHelper() {\n }\n\n public static String escapeMessageParameter(String messageParameter) {\n if ( messageParameter == null ) {\n return null;\n }\n return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n }\n\n }\n\n @Override\n public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n String value = object + \" is invalid\";\n\n // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are escaped \n String escaped = InterpolationHelper.escapeMessageParameter(value);\n constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are parameterized\n HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n context.addMessageParameter( \"prop\", object );\n context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n return false;\n }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n .configure()\n .messageInterpolator(new ParameterMessageInterpolator())\n .buildValidatorFactory()\n .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n public static class InterpolationHelper {\n\n public static final char BEGIN_TERM = '{';\n public static final char END_TERM = '}';\n public static final char EL_DESIGNATOR = '$';\n public static final char ESCAPE_CHARACTER = '\\\\';\n\n private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n private InterpolationHelper() {\n }\n\n public static String escapeMessageParameter(String messageParameter) {\n if ( messageParameter == null ) {\n return null;\n }\n return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n }\n\n }\n\n @Override\n public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n String value = object + \" is invalid\";\n\n // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are escaped \n String escaped = InterpolationHelper.escapeMessageParameter(value);\n constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are parameterized\n HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n context.addMessageParameter( \"prop\", object );\n context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n return false;\n }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/insecure-cookie", + "name": "java/insecure-cookie", + "shortDescription": { + "text": "Failure to use secure cookies" + }, + "fullDescription": { + "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n", + "markdown": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-614", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/insecure-ldap-auth", + "name": "java/insecure-ldap-auth", + "shortDescription": { + "text": "Insecure LDAP authentication" + }, + "fullDescription": { + "text": "LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", + "markdown": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-319", + "external/cwe/cwe-522", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/insecure-randomness", + "name": "java/insecure-randomness", + "shortDescription": { + "text": "Insecure randomness" + }, + "fullDescription": { + "text": "Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-330", + "external/cwe/cwe-338", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/insecure-trustmanager", + "name": "java/insecure-trustmanager", + "shortDescription": { + "text": "`TrustManager` that accepts all certificates" + }, + "fullDescription": { + "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n {\n class InsecureTrustManager implements X509TrustManager {\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return null;\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n // BAD: Does not verify the certificate chain, allowing any certificate.\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n }\n }\n SSLContext context = SSLContext.getInstance(\"TLS\");\n TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n context.init(null, trustManager, null);\n }\n {\n SSLContext context = SSLContext.getInstance(\"TLS\");\n File certificateFile = new File(\"path/to/self-signed-certificate\");\n // Create a `KeyStore` with default type\n KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n // `keyStore` is initially empty\n keyStore.load(null, null);\n X509Certificate generatedCertificate;\n try (InputStream cert = new FileInputStream(certificateFile)) {\n generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n .generateCertificate(cert);\n }\n // Add the self-signed certificate to the key store\n keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n // Get default `TrustManagerFactory`\n TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n // Use it with our key store that trusts our self-signed certificate\n tmf.init(keyStore);\n TrustManager[] trustManagers = tmf.getTrustManagers();\n context.init(null, trustManagers, null);\n // GOOD, we are not using a custom `TrustManager` but instead have\n // added the self-signed certificate we want to trust to the key\n // store. Note, the `trustManagers` will **only** trust this one\n // certificate.\n \n URL url = new URL(\"https://self-signed.badssl.com/\");\n HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n conn.setSSLSocketFactory(context.getSocketFactory());\n }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n", + "markdown": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n {\n class InsecureTrustManager implements X509TrustManager {\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return null;\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n // BAD: Does not verify the certificate chain, allowing any certificate.\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n }\n }\n SSLContext context = SSLContext.getInstance(\"TLS\");\n TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n context.init(null, trustManager, null);\n }\n {\n SSLContext context = SSLContext.getInstance(\"TLS\");\n File certificateFile = new File(\"path/to/self-signed-certificate\");\n // Create a `KeyStore` with default type\n KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n // `keyStore` is initially empty\n keyStore.load(null, null);\n X509Certificate generatedCertificate;\n try (InputStream cert = new FileInputStream(certificateFile)) {\n generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n .generateCertificate(cert);\n }\n // Add the self-signed certificate to the key store\n keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n // Get default `TrustManagerFactory`\n TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n // Use it with our key store that trusts our self-signed certificate\n tmf.init(keyStore);\n TrustManager[] trustManagers = tmf.getTrustManagers();\n context.init(null, trustManagers, null);\n // GOOD, we are not using a custom `TrustManager` but instead have\n // added the self-signed certificate we want to trust to the key\n // store. Note, the `trustManagers` will **only** trust this one\n // certificate.\n \n URL url = new URL(\"https://self-signed.badssl.com/\");\n HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n conn.setSSLSocketFactory(context.getSocketFactory());\n }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-295", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/insufficient-key-size", + "name": "java/insufficient-key-size", + "shortDescription": { + "text": "Use of a cryptographic algorithm with insufficient key size" + }, + "fullDescription": { + "text": "Using cryptographic algorithms with too small a key size can allow an attacker to compromise security." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n keyPairGen4.initialize(ecSpec);\n\n KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n", + "markdown": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n keyPairGen4.initialize(ecSpec);\n\n KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-326", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/jexl-expression-injection", + "name": "java/jexl-expression-injection", + "shortDescription": { + "text": "Expression language injection (JEXL)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String input = reader.readLine();\n JexlEngine jexl = new JexlBuilder().create();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlSandbox onlyMath = new JexlSandbox(false);\n onlyMath.white(\"java.lang.Math\");\n JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlUberspect sandbox = new JexlUberspectSandbox();\n JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n\n private static class JexlUberspectSandbox implements JexlUberspect {\n\n private static final List ALLOWED_CLASSES =\n Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n private void checkAccess(Object obj) {\n if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n throw new AccessControlException(\"Not allowed\");\n }\n }\n\n @Override\n public JexlMethod getMethod(Object obj, String method, Object... args) {\n checkAccess(obj);\n return uberspect.getMethod(obj, method, args);\n }\n\n @Override\n public List getResolvers(JexlOperator op, Object obj) {\n checkAccess(obj);\n return uberspect.getResolvers(op, obj);\n }\n\n @Override\n public void setClassLoader(ClassLoader loader) {\n uberspect.setClassLoader(loader);\n }\n\n @Override\n public int getVersion() {\n return uberspect.getVersion();\n }\n\n @Override\n public JexlMethod getConstructor(Object obj, Object... args) {\n checkAccess(obj);\n return uberspect.getConstructor(obj, args);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(obj, identifier);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(resolvers, obj, identifier);\n }\n\n @Override\n public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(obj, identifier, arg);\n }\n\n @Override\n public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n }\n\n @Override\n public Iterator getIterator(Object obj) {\n checkAccess(obj);\n return uberspect.getIterator(obj);\n }\n\n @Override\n public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n return uberspect.getArithmetic(arithmetic);\n } \n }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String input = reader.readLine();\n JexlEngine jexl = new JexlBuilder().create();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlSandbox onlyMath = new JexlSandbox(false);\n onlyMath.white(\"java.lang.Math\");\n JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlUberspect sandbox = new JexlUberspectSandbox();\n JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n\n private static class JexlUberspectSandbox implements JexlUberspect {\n\n private static final List ALLOWED_CLASSES =\n Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n private void checkAccess(Object obj) {\n if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n throw new AccessControlException(\"Not allowed\");\n }\n }\n\n @Override\n public JexlMethod getMethod(Object obj, String method, Object... args) {\n checkAccess(obj);\n return uberspect.getMethod(obj, method, args);\n }\n\n @Override\n public List getResolvers(JexlOperator op, Object obj) {\n checkAccess(obj);\n return uberspect.getResolvers(op, obj);\n }\n\n @Override\n public void setClassLoader(ClassLoader loader) {\n uberspect.setClassLoader(loader);\n }\n\n @Override\n public int getVersion() {\n return uberspect.getVersion();\n }\n\n @Override\n public JexlMethod getConstructor(Object obj, Object... args) {\n checkAccess(obj);\n return uberspect.getConstructor(obj, args);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(obj, identifier);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(resolvers, obj, identifier);\n }\n\n @Override\n public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(obj, identifier, arg);\n }\n\n @Override\n public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n }\n\n @Override\n public Iterator getIterator(Object obj) {\n checkAccess(obj);\n return uberspect.getIterator(obj);\n }\n\n @Override\n public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n return uberspect.getArithmetic(arithmetic);\n } \n }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/jhipster-prng", + "name": "java/jhipster-prng", + "shortDescription": { + "text": "Detect JHipster Generator Vulnerability CVE-2019-16303" + }, + "fullDescription": { + "text": "Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n private static final int DEF_COUNT = 20;\n\n private RandomUtil() {\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n private static final int DEF_COUNT = 20;\n\n static {\n SECURE_RANDOM.nextBytes(new byte[64]);\n }\n\n private RandomUtil() {\n }\n\n private static String generateRandomAlphanumericString() {\n // GOOD: Passing Secure Random to RandomStringUtils::random\n return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return generateRandomAlphanumericString();\n }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n private static final int DEF_COUNT = 20;\n\n private RandomUtil() {\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n private static final int DEF_COUNT = 20;\n\n static {\n SECURE_RANDOM.nextBytes(new byte[64]);\n }\n\n private RandomUtil() {\n }\n\n private static String generateRandomAlphanumericString() {\n // GOOD: Passing Secure Random to RandomStringUtils::random\n return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return generateRandomAlphanumericString();\n }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-338", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql", + "precision": "very-high", + "security-severity": "7.8" + } + }, + { + "id": "java/jndi-injection", + "name": "java/jndi-injection", + "shortDescription": { + "text": "JNDI lookup with user-controlled name" + }, + "fullDescription": { + "text": "Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n String name = request.getParameter(\"name\");\n\n Hashtable env = new Hashtable();\n env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n InitialContext ctx = new InitialContext(env);\n\n // BAD: User input used in lookup\n ctx.lookup(name);\n\n // GOOD: The name is validated before being used in lookup\n if (isValid(name)) {\n ctx.lookup(name);\n } else {\n // Reject the request\n }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n", + "markdown": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n String name = request.getParameter(\"name\");\n\n Hashtable env = new Hashtable();\n env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n InitialContext ctx = new InitialContext(env);\n\n // BAD: User input used in lookup\n ctx.lookup(name);\n\n // GOOD: The name is validated before being used in lookup\n if (isValid(name)) {\n ctx.lookup(name);\n } else {\n // Reject the request\n }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-074", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/ldap-injection", + "name": "java/ldap-injection", + "shortDescription": { + "text": "LDAP query built from user-controlled sources" + }, + "fullDescription": { + "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // BAD: User input used in DN (Distinguished Name) without encoding\n String dn = \"OU=People,O=\" + organizationName;\n\n // BAD: User input used in search filter without encoding\n String filter = \"username=\" + userName;\n\n ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // ESAPI encoder\n Encoder encoder = DefaultEncoder.getInstance();\n\n // GOOD: Organization name is encoded before being used in DN\n String safeOrganizationName = encoder.encodeForDN(organizationName);\n String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n // GOOD: User input is encoded before being used in search filter\n String safeUsername = encoder.encodeForLDAP(username);\n String safeFilter = \"username=\" + safeUsername;\n \n ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n // GOOD: Organization name is encoded before being used in DN\n String safeDn = LdapNameBuilder.newInstance()\n .add(\"O\", organizationName)\n .add(\"OU=People\")\n .build().toString();\n\n // GOOD: User input is encoded before being used in search filter\n LdapQuery query = query()\n .base(safeDn)\n .where(\"username\").is(username);\n\n ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n \n c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n String safeFilter = equal(\"username\", username);\n \n SearchRequest searchRequest = new SearchRequestImpl();\n searchRequest.setBase(safeDn);\n searchRequest.setFilter(safeFilter);\n c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n", + "markdown": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // BAD: User input used in DN (Distinguished Name) without encoding\n String dn = \"OU=People,O=\" + organizationName;\n\n // BAD: User input used in search filter without encoding\n String filter = \"username=\" + userName;\n\n ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // ESAPI encoder\n Encoder encoder = DefaultEncoder.getInstance();\n\n // GOOD: Organization name is encoded before being used in DN\n String safeOrganizationName = encoder.encodeForDN(organizationName);\n String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n // GOOD: User input is encoded before being used in search filter\n String safeUsername = encoder.encodeForLDAP(username);\n String safeFilter = \"username=\" + safeUsername;\n \n ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n // GOOD: Organization name is encoded before being used in DN\n String safeDn = LdapNameBuilder.newInstance()\n .add(\"O\", organizationName)\n .add(\"OU=People\")\n .build().toString();\n\n // GOOD: User input is encoded before being used in search filter\n LdapQuery query = query()\n .base(safeDn)\n .where(\"username\").is(username);\n\n ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n \n c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n String safeFilter = equal(\"username\", username);\n \n SearchRequest searchRequest = new SearchRequestImpl();\n searchRequest.setBase(safeDn);\n searchRequest.setFilter(safeFilter);\n c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-090", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/maven/dependency-upon-bintray", + "name": "java/maven/dependency-upon-bintray", + "shortDescription": { + "text": "Depending upon JCenter/Bintray as an artifact repository" + }, + "fullDescription": { + "text": "Using a deprecated artifact repository may eventually give attackers access for a supply chain attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Bintray Usage\n An example of using bintray to download and upload dependencies\n\n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n jcenter-snapshots\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://dl.bintray.com/groovy/maven\n \n \n \n \n jcenter-plugins\n JCenter\n \n https://jcenter.bintray.com\n \n \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n", + "markdown": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Bintray Usage\n An example of using bintray to download and upload dependencies\n\n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n jcenter-snapshots\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://dl.bintray.com/groovy/maven\n \n \n \n \n jcenter-plugins\n JCenter\n \n https://jcenter.bintray.com\n \n \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1104", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql", + "precision": "very-high", + "security-severity": "6.5" + } + }, + { + "id": "java/maven/non-https-url", + "name": "java/maven/non-https-url", + "shortDescription": { + "text": "Failure to use HTTPS or SFTP URL in Maven artifact upload/download" + }, + "fullDescription": { + "text": "Non-HTTPS connections can be intercepted by third parties." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of insecure download and upload of dependencies\n\n \n \n insecure-releases\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n insecure-snapshots\n Insecure Repository Snapshots\n \n http://insecure-repository.example\n \n \n \n \n insecure\n Insecure Repository\n \n http://insecure-repository.example\n \n \n \n \n insecure-plugins\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n\n\n```\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of secure download and upload of dependencies\n\n \n \n insecure-releases\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n insecure-snapshots\n Secure Repository Snapshots\n \n https://insecure-repository.example\n \n \n \n \n insecure\n Secure Repository\n \n https://insecure-repository.example\n \n \n \n \n insecure-plugins\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of insecure download and upload of dependencies\n\n \n \n insecure-releases\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n insecure-snapshots\n Insecure Repository Snapshots\n \n http://insecure-repository.example\n \n \n \n \n insecure\n Insecure Repository\n \n http://insecure-repository.example\n \n \n \n \n insecure-plugins\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n\n\n```\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of secure download and upload of dependencies\n\n \n \n insecure-releases\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n insecure-snapshots\n Secure Repository Snapshots\n \n https://insecure-repository.example\n \n \n \n \n insecure\n Secure Repository\n \n https://insecure-repository.example\n \n \n \n \n insecure-plugins\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-300", + "external/cwe/cwe-319", + "external/cwe/cwe-494", + "external/cwe/cwe-829", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql", + "precision": "very-high", + "security-severity": "8.1" + } + }, + { + "id": "java/missing-jwt-signature-check", + "name": "java/missing-jwt-signature-check", + "shortDescription": { + "text": "Missing JWT signature check" + }, + "fullDescription": { + "text": "Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jwt onPlaintextJwt(Jwt jwt) {\n return jwt;\n }\n }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parseClaimsJws(token) // GOOD: Verify the signature\n .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jws onPlaintextJws(Jws jws) {\n return jws;\n }\n }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n", + "markdown": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jwt onPlaintextJwt(Jwt jwt) {\n return jwt;\n }\n }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parseClaimsJws(token) // GOOD: Verify the signature\n .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jws onPlaintextJws(Jws jws) {\n return jws;\n }\n }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-347", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/mvel-expression-injection", + "name": "java/mvel-expression-injection", + "shortDescription": { + "text": "Expression language injection (MVEL)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled MVEL expression may lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // BAD: the user-provided expression is directly evaluated\n MVEL.eval(expression);\n }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // GOOD: the user-provided expression is validated before evaluation\n validateExpression(expression);\n MVEL.eval(expression);\n }\n}\n\nprivate void validateExpression(String expression) {\n // Validate that the expression does not contain unexpected code.\n // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // BAD: the user-provided expression is directly evaluated\n MVEL.eval(expression);\n }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // GOOD: the user-provided expression is validated before evaluation\n validateExpression(expression);\n MVEL.eval(expression);\n }\n}\n\nprivate void validateExpression(String expression) {\n // Validate that the expression does not contain unexpected code.\n // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/netty-http-request-or-response-splitting", + "name": "java/netty-http-request-or-response-splitting", + "shortDescription": { + "text": "Disabled Netty HTTP header validation" + }, + "fullDescription": { + "text": "Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n", + "markdown": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-113", + "external/cwe/cwe-93", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/ognl-injection", + "name": "java/ognl-injection", + "shortDescription": { + "text": "OGNL Expression Language statement with user-controlled input" + }, + "fullDescription": { + "text": "Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n String expression = request.getParameter(\"expression\");\n\n // BAD: User provided expression is evaluated\n Ognl.getValue(expression, root);\n \n // GOOD: The name is validated and expression is evaluated in sandbox\n System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n if (isValid(expression)) {\n Ognl.getValue(expression, root);\n } else {\n // Reject the request\n }\n}\n\npublic void isValid(Strig expression) {\n // Custom method to validate the expression.\n // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n", + "markdown": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n String expression = request.getParameter(\"expression\");\n\n // BAD: User provided expression is evaluated\n Ognl.getValue(expression, root);\n \n // GOOD: The name is validated and expression is evaluated in sandbox\n System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n if (isValid(expression)) {\n Ognl.getValue(expression, root);\n } else {\n // Reject the request\n }\n}\n\npublic void isValid(Strig expression) {\n // Custom method to validate the expression.\n // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-917", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/overly-large-range", + "name": "java/overly-large-range", + "shortDescription": { + "text": "Overly permissive regular expression range" + }, + "fullDescription": { + "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties": { + "tags": [ + "correctness", + "external/cwe/cwe-020", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/partial-path-traversal-from-remote", + "name": "java/partial-path-traversal-from-remote", + "shortDescription": { + "text": "Partial path traversal vulnerability from remote" + }, + "fullDescription": { + "text": "A prefix used to check that a canonicalised path falls within another must be slash-terminated." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n public void example(File dir, File parent) throws IOException {\n if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n public void example(File dir, File parent) throws IOException {\n if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n", + "markdown": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n public void example(File dir, File parent) throws IOException {\n if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n public void example(File dir, File parent) throws IOException {\n if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-023", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/path-injection", + "name": "java/path-injection", + "shortDescription": { + "text": "Uncontrolled data used in path expression" + }, + "fullDescription": { + "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n", + "markdown": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-022", + "external/cwe/cwe-023", + "external/cwe/cwe-036", + "external/cwe/cwe-073", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/polynomial-redos", + "name": "java/polynomial-redos", + "shortDescription": { + "text": "Polynomial regular expression used on uncontrolled data" + }, + "fullDescription": { + "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1333", + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/predictable-seed", + "name": "java/predictable-seed", + "shortDescription": { + "text": "Use of a predictable seed in a secure random number generator" + }, + "fullDescription": { + "text": "Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n", + "markdown": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-335", + "external/cwe/cwe-337", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/redos", + "name": "java/redos", + "shortDescription": { + "text": "Inefficient regular expression" + }, + "fullDescription": { + "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1333", + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/ReDoS.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/regex-injection", + "name": "java/regex-injection", + "shortDescription": { + "text": "Regular expression injection" + }, + "fullDescription": { + "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n return input.matches(regex);\n }\n\n public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n return input.matches(Pattern.quote(regex));\n }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n return input.matches(regex);\n }\n\n public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n return input.matches(Pattern.quote(regex));\n }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/rsa-without-oaep", + "name": "java/rsa-without-oaep", + "shortDescription": { + "text": "Use of RSA algorithm without OAEP" + }, + "fullDescription": { + "text": "Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n", + "markdown": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-780", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/server-side-template-injection", + "name": "java/server-side-template-injection", + "shortDescription": { + "text": "Server-side template injection" + }, + "fullDescription": { + "text": "Untrusted input interpreted as a template can lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "external/cwe/cwe-1336", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/spel-expression-injection", + "name": "java/spel-expression-injection", + "shortDescription": { + "text": "Expression language injection (Spring)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n return expression.getValue();\n }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n SimpleEvaluationContext context \n = SimpleEvaluationContext.forReadWriteDataBinding().build();\n return expression.getValue(context);\n }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n return expression.getValue();\n }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n SimpleEvaluationContext context \n = SimpleEvaluationContext.forReadWriteDataBinding().build();\n return expression.getValue(context);\n }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/spring-disabled-csrf-protection", + "name": "java/spring-disabled-csrf-protection", + "shortDescription": { + "text": "Disabled Spring CSRF protection" + }, + "fullDescription": { + "text": "Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http\n .csrf(csrf ->\n // BAD - CSRF protection shouldn't be disabled\n csrf.disable() \n );\n }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n", + "markdown": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http\n .csrf(csrf ->\n // BAD - CSRF protection shouldn't be disabled\n csrf.disable() \n );\n }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-352", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/sql-injection", + "name": "java/sql-injection", + "shortDescription": { + "text": "Query built from user-controlled sources" + }, + "fullDescription": { + "text": "Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have SQL special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n + category + \"' ORDER BY PRICE\";\n ResultSet results = statement.executeQuery(query1);\n}\n\n{\n // GOOD: use a prepared query\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n PreparedStatement statement = connection.prepareStatement(query2);\n statement.setString(1, category);\n ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have Java Persistence Query Language special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n + category + \"' ORDER BY p.price\";\n Query q = entityManager.createQuery(query1);\n}\n\n{\n // GOOD: use a named parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n Query q = entityManager.createQuery(query2);\n q.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a positional parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n Query q = entityManager.createQuery(query3);\n q.setParameter(1, category);\n}\n\n{\n // GOOD: use a named query with a named parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery1.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a named query with a positional parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n", + "markdown": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have SQL special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n + category + \"' ORDER BY PRICE\";\n ResultSet results = statement.executeQuery(query1);\n}\n\n{\n // GOOD: use a prepared query\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n PreparedStatement statement = connection.prepareStatement(query2);\n statement.setString(1, category);\n ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have Java Persistence Query Language special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n + category + \"' ORDER BY p.price\";\n Query q = entityManager.createQuery(query1);\n}\n\n{\n // GOOD: use a named parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n Query q = entityManager.createQuery(query2);\n q.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a positional parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n Query q = entityManager.createQuery(query3);\n q.setParameter(1, category);\n}\n\n{\n // GOOD: use a named query with a named parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery1.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a named query with a positional parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-089", + "external/cwe/cwe-564", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/ssrf", + "name": "java/ssrf", + "shortDescription": { + "text": "Server-side request forgery" + }, + "fullDescription": { + "text": "Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-918", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql", + "precision": "high", + "security-severity": "9.1" + } + }, + { + "id": "java/stack-trace-exposure", + "name": "java/stack-trace-exposure", + "shortDescription": { + "text": "Information exposure through a stack trace" + }, + "fullDescription": { + "text": "Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n", + "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-209", + "external/cwe/cwe-497", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql", + "precision": "high", + "security-severity": "5.4" + } + }, + { + "id": "java/static-initialization-vector", + "name": "java/static-initialization-vector", + "shortDescription": { + "text": "Using a static initialization vector for encryption" + }, + "fullDescription": { + "text": "An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n", + "markdown": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1204", + "external/cwe/cwe-329", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/summary/lines-of-code", + "name": "java/summary/lines-of-code", + "shortDescription": { + "text": "Total lines of Java/Kotlin code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Java and Kotlin files. This is a useful metric of the size of a database. For all source files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "lines-of-code", + "summary" + ] + } + }, + { + "id": "java/summary/lines-of-code-java", + "name": "java/summary/lines-of-code-java", + "shortDescription": { + "text": "Total lines of Java code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Java files. This is a useful metric of the size of a database. For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "summary" + ] + } + }, + { + "id": "java/summary/lines-of-code-kotlin", + "name": "java/summary/lines-of-code-kotlin", + "shortDescription": { + "text": "Total lines of Kotlin code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "summary" + ] + } + }, + { + "id": "java/tainted-format-string", + "name": "java/tainted-format-string", + "shortDescription": { + "text": "Use of externally-controlled format string" + }, + "fullDescription": { + "text": "Using external input in format strings can lead to exceptions or information leaks." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n // User provided value\n String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n \n if (notValid(cardSecurityCode)) {\n \n /*\n * BAD: user provided value is included in the format string.\n * A malicious user could provide an extra format specifier, which causes an\n * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n * access the month or day of the expiration date.\n */\n System.out.format(cardSecurityCode +\n \" is not the right value. Hint: the card expires in %1$ty.\",\n expirationDate);\n \n // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n cardSecurityCode,\n expirationDate);\n }\n\n }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n", + "markdown": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n // User provided value\n String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n \n if (notValid(cardSecurityCode)) {\n \n /*\n * BAD: user provided value is included in the format string.\n * A malicious user could provide an extra format specifier, which causes an\n * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n * access the month or day of the expiration date.\n */\n System.out.format(cardSecurityCode +\n \" is not the right value. Hint: the card expires in %1$ty.\",\n expirationDate);\n \n // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n cardSecurityCode,\n expirationDate);\n }\n\n }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-134", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/tainted-numeric-cast", + "name": "java/tainted-numeric-cast", + "shortDescription": { + "text": "User-controlled data in numeric cast" + }, + "fullDescription": { + "text": "Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n", + "markdown": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-197", + "external/cwe/cwe-681", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql", + "precision": "high", + "security-severity": "9" + } + }, + { + "id": "java/tainted-permissions-check", + "name": "java/tainted-permissions-check", + "shortDescription": { + "text": "User-controlled data used in permissions check" + }, + "fullDescription": { + "text": "Using user-controlled data in a permissions check may result in inappropriate permissions being granted." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n", + "markdown": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-290", + "external/cwe/cwe-807", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/telemetry/external-libs", + "name": "java/telemetry/external-libs", + "shortDescription": { + "text": "External libraries" + }, + "fullDescription": { + "text": "A list of external libraries used in the code" + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/extraction-information", + "name": "java/telemetry/extraction-information", + "shortDescription": { + "text": "Java extraction information" + }, + "fullDescription": { + "text": "Information about the extraction for a Java database" + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api", + "name": "java/telemetry/supported-external-api", + "shortDescription": { + "text": "Usage of supported APIs coming from external libraries" + }, + "fullDescription": { + "text": "A list of supported 3rd party APIs used in the codebase. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-sinks", + "name": "java/telemetry/supported-external-api-sinks", + "shortDescription": { + "text": "Supported sinks in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as sinks. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-sources", + "name": "java/telemetry/supported-external-api-sources", + "shortDescription": { + "text": "Supported sources in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as sources. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-taint", + "name": "java/telemetry/supported-external-api-taint", + "shortDescription": { + "text": "Supported flow steps in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as flow steps. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/unsupported-external-api", + "name": "java/telemetry/unsupported-external-api", + "shortDescription": { + "text": "Usage of unsupported APIs coming from external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs used in the codebase. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/unsafe-deserialization", + "name": "java/unsafe-deserialization", + "shortDescription": { + "text": "Deserialization of user-controlled data" + }, + "fullDescription": { + "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n public int field;\n MyObject(int field) {\n this.field = field;\n }\n}\n\npublic MyObject deserialize(Socket sock) {\n try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n return (MyObject)in.readObject(); // unsafe\n }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n return new MyObject(in.readInt());\n }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n", + "markdown": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n public int field;\n MyObject(int field) {\n this.field = field;\n }\n}\n\npublic MyObject deserialize(Socket sock) {\n try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n return (MyObject)in.readObject(); // unsafe\n }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n return new MyObject(in.readInt());\n }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-502", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/unsafe-hostname-verification", + "name": "java/unsafe-hostname-verification", + "shortDescription": { + "text": "Unsafe hostname verification" + }, + "fullDescription": { + "text": "Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n", + "markdown": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-297", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql", + "precision": "high", + "security-severity": "5.9" + } + }, + { + "id": "java/unvalidated-url-forward", + "name": "java/unvalidated-url-forward", + "shortDescription": { + "text": "URL forward from a remote source" + }, + "fullDescription": { + "text": "URL forward based on unvalidated user input may cause file information disclosure." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n", + "markdown": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-552", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-552/UrlForward.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/unvalidated-url-redirection", + "name": "java/unvalidated-url-redirection", + "shortDescription": { + "text": "URL redirection from remote source" + }, + "fullDescription": { + "text": "URL redirection based on unvalidated user-input may cause redirection to malicious web sites." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n response.sendRedirect(request.getParameter(\"target\"));\n }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n private static final List VALID_REDIRECTS = Arrays.asList(\n \"http://cwe.mitre.org/data/definitions/601.html\",\n \"http://cwe.mitre.org/data/definitions/79.html\"\n );\n\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // GOOD: the request parameter is validated against a known list of strings\n String target = request.getParameter(\"target\");\n if (VALID_REDIRECTS.contains(target)) {\n response.sendRedirect(target);\n } else {\n response.sendRedirect(\"/error.html\");\n }\n }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n try {\n String urlString = request.getParameter(\"page\");\n URI url = new URI(urlString);\n\n if (!url.isAbsolute()) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n }\n\n if (\"example.org\".equals(url.getHost())) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n }\n } catch (URISyntaxException e) {\n // handle exception\n }\n }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n response.sendRedirect(request.getParameter(\"target\"));\n }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n private static final List VALID_REDIRECTS = Arrays.asList(\n \"http://cwe.mitre.org/data/definitions/601.html\",\n \"http://cwe.mitre.org/data/definitions/79.html\"\n );\n\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // GOOD: the request parameter is validated against a known list of strings\n String target = request.getParameter(\"target\");\n if (VALID_REDIRECTS.contains(target)) {\n response.sendRedirect(target);\n } else {\n response.sendRedirect(\"/error.html\");\n }\n }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n try {\n String urlString = request.getParameter(\"page\");\n URI url = new URI(urlString);\n\n if (!url.isAbsolute()) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n }\n\n if (\"example.org\".equals(url.getHost())) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n }\n } catch (URISyntaxException e) {\n // handle exception\n }\n }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-601", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/weak-cryptographic-algorithm", + "name": "java/weak-cryptographic-algorithm", + "shortDescription": { + "text": "Use of a broken or risky cryptographic algorithm" + }, + "fullDescription": { + "text": "Using broken or weak cryptographic algorithms can allow an attacker to compromise security." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n", + "markdown": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-327", + "external/cwe/cwe-328", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/world-writable-file-read", + "name": "java/world-writable-file-read", + "shortDescription": { + "text": "Reading from a world writable file" + }, + "fullDescription": { + "text": "Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n if (!configFile.exists()) {\n // Create an empty config file\n configFile.createNewFile();\n // Make the file writable for all\n configFile.setWritable(true, false);\n }\n // Now read the config\n loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n", + "markdown": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n if (!configFile.exists()) {\n // Create an empty config file\n configFile.createNewFile();\n // Make the file writable for all\n configFile.setWritable(true, false);\n }\n // Now read the config\n loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-732", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/xml/xpath-injection", + "name": "java/xml/xpath-injection", + "shortDescription": { + "text": "XPath injection" + }, + "fullDescription": { + "text": "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n \" \" + \n \" \" + \n \"\";\ntry {\n DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n domFactory.setNamespaceAware(true);\n DocumentBuilder builder = domFactory.newDocumentBuilder();\n //Document doc = builder.parse(\"user.xml\");\n Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n XPathFactory factory = XPathFactory.newInstance();\n XPath xpath = factory.newXPath();\n\n // Injectable data\n String user = request.getParameter(\"user\");\n String pass = request.getParameter(\"pass\");\n if (user != null && pass != null) {\n boolean isExist = false;\n\n // Bad expression\n String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n sb.append(user);\n sb.append(\"' and @pass='\");\n sb.append(pass);\n sb.append(\"']\");\n String query = sb.toString();\n XPathExpression expression3 = xpath.compile(query);\n isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Good expression\n String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n xpath.setXPathVariableResolver(v -> {\n switch (v.getLocalPart()) {\n case \"user\":\n return user;\n case \"pass\":\n return pass;\n default:\n throw new IllegalArgumentException();\n }\n });\n isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n\n // Bad Dom4j \n org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n // or document.selectNodes\n System.out.println(isExist);\n\n // Good Dom4j\n org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n svc.setVariableValue(\"user\", user);\n svc.setVariableValue(\"pass\", pass);\n String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n safeXPath.setVariableContext(svc);\n isExist = safeXPath.selectSingleNode(document) != null;\n System.out.println(isExist);\n }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n", + "markdown": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n \" \" + \n \" \" + \n \"\";\ntry {\n DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n domFactory.setNamespaceAware(true);\n DocumentBuilder builder = domFactory.newDocumentBuilder();\n //Document doc = builder.parse(\"user.xml\");\n Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n XPathFactory factory = XPathFactory.newInstance();\n XPath xpath = factory.newXPath();\n\n // Injectable data\n String user = request.getParameter(\"user\");\n String pass = request.getParameter(\"pass\");\n if (user != null && pass != null) {\n boolean isExist = false;\n\n // Bad expression\n String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n sb.append(user);\n sb.append(\"' and @pass='\");\n sb.append(pass);\n sb.append(\"']\");\n String query = sb.toString();\n XPathExpression expression3 = xpath.compile(query);\n isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Good expression\n String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n xpath.setXPathVariableResolver(v -> {\n switch (v.getLocalPart()) {\n case \"user\":\n return user;\n case \"pass\":\n return pass;\n default:\n throw new IllegalArgumentException();\n }\n });\n isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n\n // Bad Dom4j \n org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n // or document.selectNodes\n System.out.println(isExist);\n\n // Good Dom4j\n org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n svc.setVariableValue(\"user\", user);\n svc.setVariableValue(\"pass\", pass);\n String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n safeXPath.setVariableContext(svc);\n isExist = safeXPath.selectSingleNode(document) != null;\n System.out.println(isExist);\n }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-643", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/xslt-injection", + "name": "java/xslt-injection", + "shortDescription": { + "text": "XSLT transformation with user-controlled stylesheet" + }, + "fullDescription": { + "text": "Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n StreamSource xslt = new StreamSource(socket.getInputStream());\n StreamSource xml = new StreamSource(new StringReader(inputXml));\n StringWriter result = new StringWriter();\n TransformerFactory factory = TransformerFactory.newInstance();\n\n // BAD: User provided XSLT stylesheet is processed\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n // GOOD: The secure processing mode is enabled\n factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n} \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n", + "markdown": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n StreamSource xslt = new StreamSource(socket.getInputStream());\n StreamSource xml = new StreamSource(new StringReader(inputXml));\n StringWriter result = new StringWriter();\n TransformerFactory factory = TransformerFactory.newInstance();\n\n // BAD: User provided XSLT stylesheet is processed\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n // GOOD: The secure processing mode is enabled\n factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n} \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-074", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/xss", + "name": "java/xss", + "shortDescription": { + "text": "Cross-site scripting" + }, + "fullDescription": { + "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n", + "markdown": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-079", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-079/XSS.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/xxe", + "name": "java/xxe", + "shortDescription": { + "text": "Resolving XML external entity in user-controlled data" + }, + "fullDescription": { + "text": "Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n", + "markdown": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-611", + "external/cwe/cwe-776", + "external/cwe/cwe-827", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-611/XXE.ql", + "precision": "high", + "security-severity": "9.1" + } + }, + { + "id": "java/zipslip", + "name": "java/zipslip", + "shortDescription": { + "text": "Arbitrary file access during archive extraction (\"Zip Slip\")" + }, + "fullDescription": { + "text": "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n FileOutputStream fos = new FileOutputStream(file); // BAD\n // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n throw new Exception(\"Bad zip entry\");\n FileOutputStream fos = new FileOutputStream(file); // OK\n // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n", + "markdown": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n FileOutputStream fos = new FileOutputStream(file); // BAD\n // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n throw new Exception(\"Bad zip entry\");\n FileOutputStream fos = new FileOutputStream(file); // OK\n // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-022", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql", + "precision": "high", + "security-severity": "7.5" + } + } + ] + }, + { + "name": "codeql/java-all", + "semanticVersion": "4.2.0+39a67b6e2e6490a9bd010db50e148f647765e9f7" + }, + { + "name": "codeql/threat-models", + "semanticVersion": "1.0.11+39a67b6e2e6490a9bd010db50e148f647765e9f7" + } + ] + }, + "conversion": { + "tool": { + "driver": { + "name": "GitHub Code Scanning" + } + } + }, + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/hintwatermelon/roller", + "revisionId": "46cdd370714647a468f6ce422adde3d5e8323375", + "branch": "refs/heads/master" + } + ], + "artifacts": [ + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java", + "index": 24 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java", + "index": 25 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java", + "index": 26 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java", + "index": 27 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java", + "index": 28 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java", + "index": 29 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java", + "index": 30 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java", + "index": 31 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java", + "index": 32 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java", + "index": 33 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java", + "index": 34 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java", + "index": 35 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java", + "index": 36 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java", + "index": 37 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java", + "index": 38 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java", + "index": 39 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java", + "index": 40 + } + } + ], + "results": [ + { + "ruleId": "java/http-response-splitting", + "rule": { + "id": "java/http-response-splitting", + "index": 15, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 133, + "startColumn": 59, + "endLine": 133, + "endColumn": 76 + } + } + } + ], + "correlationGuid": "aa4c5176-3f0c-485c-9bdc-1c9cd2023d09", + "partialFingerprints": { + "primaryLocationLineHash": "a43352b656264e63:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 49, + "startColumn": 20, + "endLine": 49, + "endColumn": 28 + } + }, + "message": { + "text": "folderId : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 52 + } + }, + "message": { + "text": "folderId : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 70 + } + }, + "message": { + "text": "replace(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 88 + } + }, + "message": { + "text": "replace(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 133, + "startColumn": 59, + "endLine": 133, + "endColumn": 76 + } + }, + "message": { + "text": "sanetizedFolderID" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 49, + "startColumn": 20, + "endLine": 49, + "endColumn": 28 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/8", + "github/alertNumber": 8 + } + }, + { + "ruleId": "java/http-response-splitting", + "rule": { + "id": "java/http-response-splitting", + "index": 15, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + } + } + ], + "correlationGuid": "9a544acb-9e25-40b7-84ea-6f48b454f3fb", + "partialFingerprints": { + "primaryLocationLineHash": "41fbc440cf27dfd0:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + }, + "message": { + "text": "callback" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 0 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/9", + "github/alertNumber": 9 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1).\nPotential Insecure randomness due to a [Insecure randomness source.](2)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + } + } + ], + "correlationGuid": "bd7483e8-25f4-41a7-bc67-785e5ccb280d", + "partialFingerprints": { + "primaryLocationLineHash": "ebe2869d4f29cd7e:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + }, + "region": { + "startLine": 161, + "startColumn": 39, + "endLine": 161, + "endColumn": 80 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + }, + "region": { + "startLine": 162, + "startColumn": 36, + "endLine": 162, + "endColumn": 48 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 119, + "startColumn": 31, + "endLine": 119, + "endColumn": 49 + } + }, + "message": { + "text": "newPassword : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + }, + "message": { + "text": "newPassword" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + }, + "region": { + "startLine": 110, + "startColumn": 39, + "endLine": 110, + "endColumn": 80 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + }, + "region": { + "startLine": 111, + "startColumn": 44, + "endLine": 111, + "endColumn": 56 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 119, + "startColumn": 31, + "endLine": 119, + "endColumn": 49 + } + }, + "message": { + "text": "newPassword : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + }, + "message": { + "text": "newPassword" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 0 + }, + "region": { + "startLine": 161, + "startColumn": 39, + "endLine": 161, + "endColumn": 80 + } + }, + "message": { + "text": "Insecure randomness source." + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 0 + }, + "region": { + "startLine": 110, + "startColumn": 39, + "endLine": 110, + "endColumn": 80 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/10", + "github/alertNumber": 10 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 122, + "startColumn": 29, + "endLine": 122, + "endColumn": 41 + } + } + } + ], + "correlationGuid": "42e549d2-c275-4945-bf40-d6bebb689d9d", + "partialFingerprints": { + "primaryLocationLineHash": "a706f813f09b282d:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 371, + "startColumn": 39, + "endLine": 371, + "endColumn": 51 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 121, + "startColumn": 33, + "endLine": 121, + "endColumn": 52 + } + }, + "message": { + "text": "passwordText : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 122, + "startColumn": 29, + "endLine": 122, + "endColumn": 41 + } + }, + "message": { + "text": "passwordText" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 0 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/11", + "github/alertNumber": 11 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 130, + "startColumn": 32, + "endLine": 130, + "endColumn": 47 + } + } + } + ], + "correlationGuid": "d090be49-7c07-4548-be1c-d6a277e20f2e", + "partialFingerprints": { + "primaryLocationLineHash": "a7e8967f80765bad:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 372, + "startColumn": 42, + "endLine": 372, + "endColumn": 54 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 129, + "startColumn": 36, + "endLine": 129, + "endColumn": 58 + } + }, + "message": { + "text": "passwordConfirm : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 130, + "startColumn": 32, + "endLine": 130, + "endColumn": 47 + } + }, + "message": { + "text": "passwordConfirm" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 0 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/12", + "github/alertNumber": 12 + } + }, + { + "ruleId": "java/unvalidated-url-redirection", + "rule": { + "id": "java/unvalidated-url-redirection", + "index": 66, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Untrusted URL redirection depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + } + } + ], + "correlationGuid": "5bb7aec0-639e-4365-93a7-e41e00f18ec6", + "partialFingerprints": { + "primaryLocationLineHash": "41fbc440cf27dfd0:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + }, + "message": { + "text": "callback" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 0 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/13", + "github/alertNumber": 13 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + } + } + ], + "correlationGuid": "ba9b5766-17b3-4de4-a1b7-79df1e478644", + "partialFingerprints": { + "primaryLocationLineHash": "cccb6385104d4c00:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/14", + "github/alertNumber": 14 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + } + } + ], + "correlationGuid": "6ef05652-94ad-44b8-8e9c-f77e493a8e2d", + "partialFingerprints": { + "primaryLocationLineHash": "df1362749a3e519c:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/15", + "github/alertNumber": 15 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + } + } + ], + "correlationGuid": "e116e0f4-cd03-4270-ab36-3b83f00ee00e", + "partialFingerprints": { + "primaryLocationLineHash": "871c3cf166627615:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 319, + "startColumn": 19, + "endLine": 319, + "endColumn": 134 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 322, + "startColumn": 19, + "endLine": 322, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 319, + "startColumn": 19, + "endLine": 319, + "endColumn": 134 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 322, + "startColumn": 19, + "endLine": 322, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/16", + "github/alertNumber": 16 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + } + } + ], + "correlationGuid": "db4c7ae4-0eda-47d9-aa17-02047f46b732", + "partialFingerprints": { + "primaryLocationLineHash": "f797cd6a2e95a76a:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 24, + "endLine": 95, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 13, + "endLine": 95, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 20, + "endLine": 94, + "endColumn": 58 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 9, + "endLine": 94, + "endColumn": 12 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 15 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 26 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/17", + "github/alertNumber": 17 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + } + } + ], + "correlationGuid": "2f804f4f-770f-4999-b2a6-e36f3f91f614", + "partialFingerprints": { + "primaryLocationLineHash": "d06c87887323661e:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/18", + "github/alertNumber": 18 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + } + } + ], + "correlationGuid": "ed3376eb-e089-4f43-9bf8-adbd4676887b", + "partialFingerprints": { + "primaryLocationLineHash": "f797b1b59b078d8f:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 24, + "endLine": 95, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 13, + "endLine": 95, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 20, + "endLine": 94, + "endColumn": 58 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 9, + "endLine": 94, + "endColumn": 12 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 15 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 26 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/19", + "github/alertNumber": 19 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + } + } + ], + "correlationGuid": "47fdf168-4a30-4479-a4ee-b5810a9bee24", + "partialFingerprints": { + "primaryLocationLineHash": "6d90bf8993f560aa:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/20", + "github/alertNumber": 20 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1).\nCross-site scripting vulnerability due to a [user-provided value](2)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + } + } + ], + "correlationGuid": "1b6fba72-5d1f-48f1-9f91-ddaa6ff07f20", + "partialFingerprints": { + "primaryLocationLineHash": "e41b363d572cf6d8:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 72, + "startColumn": 26, + "endLine": 72, + "endColumn": 58 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 87, + "startColumn": 13, + "endLine": 87, + "endColumn": 29 + } + }, + "message": { + "text": "... + ... : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 87, + "startColumn": 3, + "endLine": 87, + "endColumn": 5 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 12 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 23 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + }, + "message": { + "text": "getHtml(...)" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 73, + "startColumn": 26, + "endLine": 73, + "endColumn": 58 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 94, + "startColumn": 13, + "endLine": 94, + "endColumn": 29 + } + }, + "message": { + "text": "... + ... : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 94, + "startColumn": 3, + "endLine": 94, + "endColumn": 5 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 12 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 23 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + }, + "message": { + "text": "getHtml(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 0 + }, + "region": { + "startLine": 72, + "startColumn": 26, + "endLine": 72, + "endColumn": 58 + } + }, + "message": { + "text": "user-provided value" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 0 + }, + "region": { + "startLine": 73, + "startColumn": 26, + "endLine": 73, + "endColumn": 58 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/21", + "github/alertNumber": 21 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 81, + "startColumn": 37, + "endLine": 81, + "endColumn": 50 + } + } + } + ], + "correlationGuid": "41fb6220-c807-46cf-8acf-a02ad395aa77", + "partialFingerprints": { + "primaryLocationLineHash": "cf23dfd372a61ea3:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 81, + "startColumn": 37, + "endLine": 81, + "endColumn": 50 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/22", + "github/alertNumber": 22 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 86, + "startColumn": 50, + "endLine": 86, + "endColumn": 63 + } + } + } + ], + "correlationGuid": "19ac3ae8-6aee-4c71-83e5-3ad805b42e72", + "partialFingerprints": { + "primaryLocationLineHash": "103f70b0007fdfad:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 86, + "startColumn": 50, + "endLine": 86, + "endColumn": 63 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/23", + "github/alertNumber": 23 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 112, + "startColumn": 21, + "endLine": 112, + "endColumn": 34 + } + } + } + ], + "correlationGuid": "bd7ccb79-f108-47d2-ba9c-03ae9ca99d04", + "partialFingerprints": { + "primaryLocationLineHash": "9a91c0ae5a3ea9d:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 112, + "startColumn": 21, + "endLine": 112, + "endColumn": 34 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/24", + "github/alertNumber": 24 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 147, + "startColumn": 48, + "endLine": 147, + "endColumn": 58 + } + } + } + ], + "correlationGuid": "16ab249d-cb7d-4003-bb25-4237836305d5", + "partialFingerprints": { + "primaryLocationLineHash": "77597f482b4d5d50:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 266, + "startColumn": 16, + "endLine": 266, + "endColumn": 29 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 139, + "startColumn": 30, + "endLine": 139, + "endColumn": 48 + } + }, + "message": { + "text": "getUploadedFiles(...) : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 147, + "startColumn": 48, + "endLine": 147, + "endColumn": 58 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 0 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/25", + "github/alertNumber": 25 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + } + } + ], + "correlationGuid": "485410bf-8cbf-48eb-8680-82e1d52843ff", + "partialFingerprints": { + "primaryLocationLineHash": "2b2bb9cdd3635201:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 173, + "startColumn": 45, + "endLine": 173, + "endColumn": 63 + } + }, + "message": { + "text": "this.uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 51 + } + }, + "message": { + "text": "this.uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 0 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/26", + "github/alertNumber": 26 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + } + } + ], + "correlationGuid": "3088f3ec-6971-4d9e-98fc-8f02dfab52c3", + "partialFingerprints": { + "primaryLocationLineHash": "9449418b46954eb:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 125, + "startColumn": 21, + "endLine": 125, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 126, + "startColumn": 41, + "endLine": 126, + "endColumn": 58 + } + }, + "message": { + "text": "this.uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 0 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/27", + "github/alertNumber": 27 + } + }, + { + "ruleId": "java/polynomial-redos", + "rule": { + "id": "java/polynomial-redos", + "index": 38, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with 'b' and with many repetitions of 'b'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + } + } + ], + "correlationGuid": "2f63c4a7-4170-47c8-917b-9ca3a0115f38", + "partialFingerprints": { + "primaryLocationLineHash": "f22c138a13ff3a37:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 988, + "startColumn": 34, + "endLine": 988, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 897, + "startColumn": 19, + "endLine": 897, + "endColumn": 37 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 302, + "startColumn": 19, + "endLine": 302, + "endColumn": 26 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 303, + "startColumn": 16, + "endLine": 303, + "endColumn": 25 + } + }, + "message": { + "text": "this.text : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "getText(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 107, + "startColumn": 24, + "endLine": 107, + "endColumn": 29 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 107, + "startColumn": 24, + "endLine": 107, + "endColumn": 29 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 990, + "startColumn": 34, + "endLine": 990, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 904, + "startColumn": 19, + "endLine": 904, + "endColumn": 40 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 274, + "startColumn": 19, + "endLine": 274, + "endColumn": 29 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 275, + "startColumn": 16, + "endLine": 275, + "endColumn": 23 + } + }, + "message": { + "text": "summary : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "getSummary(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 49, + "startColumn": 19, + "endLine": 49, + "endColumn": 22 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 49, + "startColumn": 19, + "endLine": 49, + "endColumn": 69 + } + }, + "message": { + "text": "replaceFirst(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 996, + "startColumn": 34, + "endLine": 996, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 904, + "startColumn": 19, + "endLine": 904, + "endColumn": 40 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 274, + "startColumn": 19, + "endLine": 274, + "endColumn": 29 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 275, + "startColumn": 16, + "endLine": 275, + "endColumn": 23 + } + }, + "message": { + "text": "summary : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "getSummary(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1007, + "startColumn": 34, + "endLine": 1007, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 897, + "startColumn": 19, + "endLine": 897, + "endColumn": 37 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 302, + "startColumn": 19, + "endLine": 302, + "endColumn": 26 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 303, + "startColumn": 16, + "endLine": 303, + "endColumn": 25 + } + }, + "message": { + "text": "this.text : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "getText(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 0 + }, + "region": { + "startLine": 38, + "startColumn": 33, + "endLine": 38, + "endColumn": 51 + } + }, + "message": { + "text": "regular expression" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 0 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/28", + "github/alertNumber": 28 + } + }, + { + "ruleId": "java/polynomial-redos", + "rule": { + "id": "java/polynomial-redos", + "index": 38, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of '
a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 61,
+                  "startColumn": 51,
+                  "endLine": 61,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9b0a3a9-8833-461c-93ec-3a12c3a72f91",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "80ff14788737bca8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 22,
+                  "endLine": 38,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 29,
+                  "endLine": 38,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/29",
+            "github/alertNumber": 29
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of 'a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 57,
+                  "endLine": 68,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9eb5f85-f753-42b1-8c6b-3bd3ef5db56e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d309d833fb2b46b:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 24,
+                  "endLine": 41,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 31,
+                  "endLine": 41,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/30",
+            "github/alertNumber": 30
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 60,
+                  "startColumn": 88,
+                  "endLine": 60,
+                  "endColumn": 90
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/31",
+            "github/alertNumber": 31
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of ' '."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 179,
+                  "startColumn": 68,
+                  "endLine": 179,
+                  "endColumn": 77
+                }
+              }
+            }
+          ],
+          "correlationGuid": "0068dc73-44a6-456e-83a7-5fe04b5899e9",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f7eba83359081407:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 77,
+                  "endLine": 66,
+                  "endColumn": 81
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/32",
+            "github/alertNumber": 32
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of '!'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 235,
+                  "startColumn": 67,
+                  "endLine": 235,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "b4530215-fde8-4f7d-8718-57bc4d310a08",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f77ea2ce3b67490a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 67,
+                  "endLine": 68,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/33",
+            "github/alertNumber": 33
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](2) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](4) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](5) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](6) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](7) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](8) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](8) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 249,
+                  "startColumn": 83,
+                  "endLine": 249,
+                  "endColumn": 93
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ebd7d4fc-18fe-4894-ad98-05b92939b9a6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d2f751956bb0d070:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 19,
+                            "endLine": 66,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 67,
+                            "startColumn": 16,
+                            "endLine": 67,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "getUserName(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 30,
+                            "endLine": 94,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 62,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 109,
+                            "startColumn": 19,
+                            "endLine": 109,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 16,
+                            "endLine": 110,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getOpenIdUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 47,
+                            "endLine": 86,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "openidurl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 30,
+                            "endLine": 131,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 132,
+                            "startColumn": 63,
+                            "endLine": 132,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 73,
+                  "endLine": 70,
+                  "endColumn": 75
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 98,
+                  "endLine": 70,
+                  "endColumn": 103
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 8,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/34",
+            "github/alertNumber": 34
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 290,
+                  "startColumn": 103,
+                  "endLine": 290,
+                  "endColumn": 106
+                }
+              }
+            }
+          ],
+          "correlationGuid": "98c49d16-a691-4397-87d1-0bebd5d9982a",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ea89bbca86ba4590:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/35",
+            "github/alertNumber": 35
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 308,
+                  "startColumn": 40,
+                  "endLine": 308,
+                  "endColumn": 43
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5b53c901-1227-4899-94b0-02de15b8ef1b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7fd366a6b63e95c3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/36",
+            "github/alertNumber": 36
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 36,
+                  "endLine": 49,
+                  "endColumn": 51
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1923e2ac-ef5c-43bf-b786-86bf2b341004",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77bb988d556b367:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/37",
+            "github/alertNumber": 37
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 36,
+                  "endLine": 66,
+                  "endColumn": 38
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f7e56bbc-467c-4e07-a916-b3b3c362a229",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e97d22a8b2a0b291:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/38",
+            "github/alertNumber": 38
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 71,
+                  "startColumn": 36,
+                  "endLine": 71,
+                  "endColumn": 39
+                }
+              }
+            }
+          ],
+          "correlationGuid": "49c124bf-2a10-4623-9976-3376d4c86436",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9713a8da9d6dd391:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/39",
+            "github/alertNumber": 39
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                  "index": 32
+                },
+                "region": {
+                  "startLine": 438,
+                  "startColumn": 48,
+                  "endLine": 438,
+                  "endColumn": 53
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d8bfdf72-6bfc-410e-8a9f-acdb38e8d713",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fca1ccdb5c516f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 55,
+                            "startColumn": 30,
+                            "endLine": 55,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 204,
+                            "startColumn": 16,
+                            "endLine": 204,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 101,
+                            "startColumn": 19,
+                            "endLine": 101,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 16,
+                            "endLine": 102,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this.bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getBannedwordslist(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 427,
+                            "startColumn": 9,
+                            "endLine": 427,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 53,
+                            "endLine": 431,
+                            "endColumn": 83
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 33,
+                            "endLine": 431,
+                            "endColumn": 90
+                          }
+                        },
+                        "message": {
+                          "text": "new StringTokenizer(...) : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "toker : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "nextToken(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 438,
+                            "startColumn": 48,
+                            "endLine": 438,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 55,
+                  "startColumn": 30,
+                  "endLine": 55,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/40",
+            "github/alertNumber": 40
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                  "index": 35
+                },
+                "region": {
+                  "startLine": 230,
+                  "startColumn": 57,
+                  "endLine": 230,
+                  "endColumn": 72
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9d0ad640-089c-4ee1-b3ed-dfbe72c4e5b1",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "248fddc681a75a01:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 43,
+                            "endLine": 63,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 44,
+                            "endLine": 74,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/41",
+            "github/alertNumber": 41
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                  "index": 38
+                },
+                "region": {
+                  "startLine": 57,
+                  "startColumn": 57,
+                  "endLine": 57,
+                  "endColumn": 69
+                }
+              }
+            }
+          ],
+          "correlationGuid": "839215e6-bef4-4426-97bf-80d3555da65d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "c240ab2d5b41ea5f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 23,
+                            "endLine": 72,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 315,
+                            "startColumn": 16,
+                            "endLine": 315,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 223,
+                            "startColumn": 19,
+                            "endLine": 223,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 224,
+                            "startColumn": 16,
+                            "endLine": 224,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "enclosureURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getEnclosureURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 48,
+                            "startColumn": 52,
+                            "endLine": 48,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 65,
+                            "endLine": 57,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 57,
+                            "endLine": 57,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "new URL(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 23,
+                  "endLine": 72,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/42",
+            "github/alertNumber": 42
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 24,
+                  "endLine": 147,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d722e768-31a0-417b-9b87-847c29a58084",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7c1f69188f18e239:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/43",
+            "github/alertNumber": 43
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user.\n[Error information](2) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 221,
+                  "startColumn": 24,
+                  "endLine": 221,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "4df5ee6f-b915-488c-ba43-35a70984f360",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "517a7a49b664a801:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 214,
+                  "startColumn": 21,
+                  "endLine": 214,
+                  "endColumn": 35
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/44",
+            "github/alertNumber": 44
+          }
+        }
+      ],
+      "automationDetails": {
+        "id": ".github/workflows/codeql-analysis.yml:analyze/language:java/"
+      },
+      "properties": {
+        "codeqlConfigSummary": {}
+      }
+    }
+  ]
+}
diff --git a/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-1.sarif b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-1.sarif
new file mode 100644
index 000000000..6e14cb80e
--- /dev/null
+++ b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-1.sarif
@@ -0,0 +1,4535 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "semanticVersion": "2.19.3"
+        },
+        "extensions": [
+          {
+            "name": "codeql/javascript-queries",
+            "semanticVersion": "1.2.3+39a67b6e2e6490a9bd010db50e148f647765e9f7",
+            "rules": [
+              {
+                "id": "js/actions/actions-artifact-leak",
+                "name": "js/actions/actions-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in GitHub Actions artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a GitHub Actions artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n",
+                  "markdown": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/actions/command-injection",
+                "name": "js/actions/command-injection",
+                "shortDescription": {
+                  "text": "Expression injection in Actions"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "actions",
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/angular/disabling-sce",
+                "name": "js/angular/disabling-sce",
+                "shortDescription": {
+                  "text": "Disabling SCE"
+                },
+                "fullDescription": {
+                  "text": "Disabling strict contextual escaping (SCE) can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-116",
+                    "frameworks/angularjs",
+                    "maintainability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DisablingSce.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/angular/double-compilation",
+                "name": "js/angular/double-compilation",
+                "shortDescription": {
+                  "text": "Double compilation"
+                },
+                "fullDescription": {
+                  "text": "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n",
+                  "markdown": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1176",
+                    "frameworks/angularjs",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DoubleCompilation.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/angular/insecure-url-whitelist",
+                "name": "js/angular/insecure-url-whitelist",
+                "shortDescription": {
+                  "text": "Insecure URL whitelist"
+                },
+                "fullDescription": {
+                  "text": "URL whitelists that are too permissive can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n",
+                  "markdown": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-183",
+                    "external/cwe/cwe-625",
+                    "frameworks/angularjs",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/bad-code-sanitization",
+                "name": "js/bad-code-sanitization",
+                "shortDescription": {
+                  "text": "Improper code sanitization"
+                },
+                "fullDescription": {
+                  "text": "Escaping code as HTML does not provide protection against code injection."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/bad-tag-filter",
+                "name": "js/bad-tag-filter",
+                "shortDescription": {
+                  "text": "Bad HTML filtering regexp"
+                },
+                "fullDescription": {
+                  "text": "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n",
+                  "markdown": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-080",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-184",
+                    "external/cwe/cwe-185",
+                    "external/cwe/cwe-186",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/BadTagFilter.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/biased-cryptographic-random",
+                "name": "js/biased-cryptographic-random",
+                "shortDescription": {
+                  "text": "Creating biased random numbers from a cryptographically secure source"
+                },
+                "fullDescription": {
+                  "text": "Some mathematical operations on random numbers can cause bias in the results and compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n",
+                  "markdown": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-327/BadRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/build-artifact-leak",
+                "name": "js/build-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in build artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a build artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/case-sensitive-middleware-path",
+                "name": "js/case-sensitive-middleware-path",
+                "shortDescription": {
+                  "text": "Case-sensitive middleware path"
+                },
+                "fullDescription": {
+                  "text": "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n",
+                  "markdown": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-178",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql",
+                  "precision": "high",
+                  "security-severity": "7.3"
+                }
+              },
+              {
+                "id": "js/clear-text-cookie",
+                "name": "js/clear-text-cookie",
+                "shortDescription": {
+                  "text": "Clear text transmission of sensitive cookie"
+                },
+                "fullDescription": {
+                  "text": "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-311",
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/clear-text-logging",
+                "name": "js/clear-text-logging",
+                "shortDescription": {
+                  "text": "Clear-text logging of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Logging sensitive information without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n",
+                  "markdown": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-359",
+                    "external/cwe/cwe-532",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextLogging.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/clear-text-storage-of-sensitive-data",
+                "name": "js/clear-text-storage-of-sensitive-data",
+                "shortDescription": {
+                  "text": "Clear text storage of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Sensitive information stored without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextStorage.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/client-exposed-cookie",
+                "name": "js/client-exposed-cookie",
+                "shortDescription": {
+                  "text": "Sensitive server cookie exposed to the client"
+                },
+                "fullDescription": {
+                  "text": "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n",
+                  "markdown": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1004",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/client-side-unvalidated-url-redirection",
+                "name": "js/client-side-unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "Client-side URL redirect"
+                },
+                "fullDescription": {
+                  "text": "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/code-injection",
+                "name": "js/code-injection",
+                "shortDescription": {
+                  "text": "Code injection"
+                },
+                "fullDescription": {
+                  "text": "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-095",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/CodeInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/command-line-injection",
+                "name": "js/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-078/CommandInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/cors-misconfiguration-for-credentials",
+                "name": "js/cors-misconfiguration-for-credentials",
+                "shortDescription": {
+                  "text": "CORS misconfiguration for credentials transfer"
+                },
+                "fullDescription": {
+                  "text": "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n",
+                  "markdown": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-346",
+                    "external/cwe/cwe-639",
+                    "external/cwe/cwe-942",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/cross-window-information-leak",
+                "name": "js/cross-window-information-leak",
+                "shortDescription": {
+                  "text": "Cross-window communication with unrestricted target origin"
+                },
+                "fullDescription": {
+                  "text": "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-201",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-201/PostMessageStar.ql",
+                  "precision": "high",
+                  "security-severity": "4.3"
+                }
+              },
+              {
+                "id": "js/disabling-certificate-validation",
+                "name": "js/disabling-certificate-validation",
+                "shortDescription": {
+                  "text": "Disabling certificate validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling cryptographic certificate validation can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/disabling-electron-websecurity",
+                "name": "js/disabling-electron-websecurity",
+                "shortDescription": {
+                  "text": "Disabling Electron webSecurity"
+                },
+                "fullDescription": {
+                  "text": "Disabling webSecurity can cause critical security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-79",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/DisablingWebSecurity.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/double-escaping",
+                "name": "js/double-escaping",
+                "shortDescription": {
+                  "text": "Double escaping or unescaping"
+                },
+                "fullDescription": {
+                  "text": "When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/enabling-electron-insecure-content",
+                "name": "js/enabling-electron-insecure-content",
+                "shortDescription": {
+                  "text": "Enabling Electron allowRunningInsecureContent"
+                },
+                "fullDescription": {
+                  "text": "Enabling allowRunningInsecureContent can allow remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n",
+                  "markdown": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-494",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/AllowRunningInsecureContent.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/exposure-of-private-files",
+                "name": "js/exposure-of-private-files",
+                "shortDescription": {
+                  "text": "Exposure of private files"
+                },
+                "fullDescription": {
+                  "text": "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n",
+                  "markdown": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-200",
+                    "external/cwe/cwe-219",
+                    "external/cwe/cwe-548",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql",
+                  "precision": "high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-domain",
+                "name": "js/functionality-from-untrusted-domain",
+                "shortDescription": {
+                  "text": "Untrusted domain used in script or other content"
+                },
+                "fullDescription": {
+                  "text": "Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-source",
+                "name": "js/functionality-from-untrusted-source",
+                "shortDescription": {
+                  "text": "Inclusion of functionality from an untrusted source"
+                },
+                "fullDescription": {
+                  "text": "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql",
+                  "precision": "high",
+                  "security-severity": "6"
+                }
+              },
+              {
+                "id": "js/hardcoded-credentials",
+                "name": "js/hardcoded-credentials",
+                "shortDescription": {
+                  "text": "Hard-coded credentials"
+                },
+                "fullDescription": {
+                  "text": "Hard-coding credentials in source code may enable an attacker to gain unauthorized access."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n",
+                  "markdown": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-259",
+                    "external/cwe/cwe-321",
+                    "external/cwe/cwe-798",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/host-header-forgery-in-email-generation",
+                "name": "js/host-header-forgery-in-email-generation",
+                "shortDescription": {
+                  "text": "Host header poisoning in email generation"
+                },
+                "fullDescription": {
+                  "text": "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n",
+                  "markdown": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-640",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/html-constructed-from-input",
+                "name": "js/html-constructed-from-input",
+                "shortDescription": {
+                  "text": "Unsafe HTML constructed from library input"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/identity-replacement",
+                "name": "js/identity-replacement",
+                "shortDescription": {
+                  "text": "Replacement of a substring with itself"
+                },
+                "fullDescription": {
+                  "text": "Replacing a substring with itself has no effect and may indicate a mistake."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/RegExp/IdentityReplacement.ql",
+                  "precision": "very-high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/incomplete-hostname-regexp",
+                "name": "js/incomplete-hostname-regexp",
+                "shortDescription": {
+                  "text": "Incomplete regular expression for hostnames"
+                },
+                "fullDescription": {
+                  "text": "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/incomplete-html-attribute-sanitization",
+                "name": "js/incomplete-html-attribute-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete HTML attribute sanitization"
+                },
+                "fullDescription": {
+                  "text": "Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/incomplete-multi-character-sanitization",
+                "name": "js/incomplete-multi-character-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete multi-character sanitization"
+                },
+                "fullDescription": {
+                  "text": "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/\n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection",
+                "name": "java/android/fragment-injection",
+                "shortDescription": {
+                  "text": "Android fragment injection"
+                },
+                "fullDescription": {
+                  "text": "Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection-preference-activity",
+                "name": "java/android/fragment-injection-preference-activity",
+                "shortDescription": {
+                  "text": "Android fragment injection in PreferenceActivity"
+                },
+                "fullDescription": {
+                  "text": "An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/implicit-pendingintents",
+                "name": "java/android/implicit-pendingintents",
+                "shortDescription": {
+                  "text": "Use of implicit PendingIntents"
+                },
+                "fullDescription": {
+                  "text": "Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n",
+                  "markdown": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-927",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/implicitly-exported-component",
+                "name": "java/android/implicitly-exported-component",
+                "shortDescription": {
+                  "text": "Implicitly exported Android component"
+                },
+                "fullDescription": {
+                  "text": "Android components with an '' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/insecure-local-authentication",
+                "name": "java/android/insecure-local-authentication",
+                "shortDescription": {
+                  "text": "Insecure local authentication"
+                },
+                "fullDescription": {
+                  "text": "Local authentication that does not make use of a `CryptoObject` can be bypassed."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n",
+                  "markdown": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-287",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql",
+                  "precision": "high",
+                  "security-severity": "4.4"
+                }
+              },
+              {
+                "id": "java/android/intent-redirection",
+                "name": "java/android/intent-redirection",
+                "shortDescription": {
+                  "text": "Android Intent redirection"
+                },
+                "fullDescription": {
+                  "text": "Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n",
+                  "markdown": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "external/cwe/cwe-940",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/intent-uri-permission-manipulation",
+                "name": "java/android/intent-uri-permission-manipulation",
+                "shortDescription": {
+                  "text": "Intent URI permission manipulation"
+                },
+                "fullDescription": {
+                  "text": "Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-266",
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/android/unsafe-content-uri-resolution",
+                "name": "java/android/unsafe-content-uri-resolution",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in content resolution"
+                },
+                "fullDescription": {
+                  "text": "Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n",
+                  "markdown": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-441",
+                    "external/cwe/cwe-610",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/webview-debugging-enabled",
+                "name": "java/android/webview-debugging-enabled",
+                "shortDescription": {
+                  "text": "Android Webview debugging enabled"
+                },
+                "fullDescription": {
+                  "text": "Enabling Webview debugging in production builds can expose entry points or leak sensitive information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/cleartext-storage-in-cookie",
+                "name": "java/cleartext-storage-in-cookie",
+                "shortDescription": {
+                  "text": "Cleartext storage of sensitive information in cookie"
+                },
+                "fullDescription": {
+                  "text": "Storing sensitive information in cleartext can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n",
+                  "markdown": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-315",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/command-line-injection",
+                "name": "java/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line is vulnerable to malicious changes in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/concatenated-command-line",
+                "name": "java/concatenated-command-line",
+                "shortDescription": {
+                  "text": "Building a command line with string concatenation"
+                },
+                "fullDescription": {
+                  "text": "Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/error-message-exposure",
+                "name": "java/error-message-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through an error message"
+                },
+                "fullDescription": {
+                  "text": "Information from an error message propagates to an external user. Error messages can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n",
+                  "markdown": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/groovy-injection",
+                "name": "java/groovy-injection",
+                "shortDescription": {
+                  "text": "Groovy Language injection"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Groovy script may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/http-response-splitting",
+                "name": "java/http-response-splitting",
+                "shortDescription": {
+                  "text": "HTTP response splitting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/implicit-cast-in-compound-assignment",
+                "name": "java/implicit-cast-in-compound-assignment",
+                "shortDescription": {
+                  "text": "Implicit narrowing conversion in compound assignment"
+                },
+                "fullDescription": {
+                  "text": "Compound assignment statements (for example 'intvar += longvar') that implicitly cast a value of a wider type to a narrower type may result in information loss and numeric errors such as overflows."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-190",
+                    "external/cwe/cwe-192",
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Likely%20Bugs/Arithmetic/InformationLoss.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/improper-intent-verification",
+                "name": "java/improper-intent-verification",
+                "shortDescription": {
+                  "text": "Improper verification of intent by broadcast receiver"
+                },
+                "fullDescription": {
+                  "text": "A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n",
+                  "markdown": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-925",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/improper-webview-certificate-validation",
+                "name": "java/improper-webview-certificate-validation",
+                "shortDescription": {
+                  "text": "Android `WebView` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insecure-bean-validation",
+                "name": "java/insecure-bean-validation",
+                "shortDescription": {
+                  "text": "Insecure Bean Validation"
+                },
+                "fullDescription": {
+                  "text": "User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/insecure-cookie",
+                "name": "java/insecure-cookie",
+                "shortDescription": {
+                  "text": "Failure to use secure cookies"
+                },
+                "fullDescription": {
+                  "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n",
+                  "markdown": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/insecure-ldap-auth",
+                "name": "java/insecure-ldap-auth",
+                "shortDescription": {
+                  "text": "Insecure LDAP authentication"
+                },
+                "fullDescription": {
+                  "text": "LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers"
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-522",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/insecure-randomness",
+                "name": "java/insecure-randomness",
+                "shortDescription": {
+                  "text": "Insecure randomness"
+                },
+                "fullDescription": {
+                  "text": "Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-330",
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/insecure-trustmanager",
+                "name": "java/insecure-trustmanager",
+                "shortDescription": {
+                  "text": "`TrustManager` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insufficient-key-size",
+                "name": "java/insufficient-key-size",
+                "shortDescription": {
+                  "text": "Use of a cryptographic algorithm with insufficient key size"
+                },
+                "fullDescription": {
+                  "text": "Using cryptographic algorithms with too small a key size can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n",
+                  "markdown": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-326",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/jexl-expression-injection",
+                "name": "java/jexl-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (JEXL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/jhipster-prng",
+                "name": "java/jhipster-prng",
+                "shortDescription": {
+                  "text": "Detect JHipster Generator Vulnerability CVE-2019-16303"
+                },
+                "fullDescription": {
+                  "text": "Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/jndi-injection",
+                "name": "java/jndi-injection",
+                "shortDescription": {
+                  "text": "JNDI lookup with user-controlled name"
+                },
+                "fullDescription": {
+                  "text": "Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/ldap-injection",
+                "name": "java/ldap-injection",
+                "shortDescription": {
+                  "text": "LDAP query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n",
+                  "markdown": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-090",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/maven/dependency-upon-bintray",
+                "name": "java/maven/dependency-upon-bintray",
+                "shortDescription": {
+                  "text": "Depending upon JCenter/Bintray as an artifact repository"
+                },
+                "fullDescription": {
+                  "text": "Using a deprecated artifact repository may eventually give attackers access for a supply chain attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n",
+                  "markdown": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1104",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "java/maven/non-https-url",
+                "name": "java/maven/non-https-url",
+                "shortDescription": {
+                  "text": "Failure to use HTTPS or SFTP URL in Maven artifact upload/download"
+                },
+                "fullDescription": {
+                  "text": "Non-HTTPS connections can be intercepted by third parties."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n",
+                  "markdown": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-300",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-494",
+                    "external/cwe/cwe-829",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/missing-jwt-signature-check",
+                "name": "java/missing-jwt-signature-check",
+                "shortDescription": {
+                  "text": "Missing JWT signature check"
+                },
+                "fullDescription": {
+                  "text": "Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n",
+                  "markdown": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-347",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/mvel-expression-injection",
+                "name": "java/mvel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (MVEL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled MVEL expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/netty-http-request-or-response-splitting",
+                "name": "java/netty-http-request-or-response-splitting",
+                "shortDescription": {
+                  "text": "Disabled Netty HTTP header validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "external/cwe/cwe-93",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/ognl-injection",
+                "name": "java/ognl-injection",
+                "shortDescription": {
+                  "text": "OGNL Expression Language statement with user-controlled input"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n",
+                  "markdown": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-917",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/overly-large-range",
+                "name": "java/overly-large-range",
+                "shortDescription": {
+                  "text": "Overly permissive regular expression range"
+                },
+                "fullDescription": {
+                  "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/partial-path-traversal-from-remote",
+                "name": "java/partial-path-traversal-from-remote",
+                "shortDescription": {
+                  "text": "Partial path traversal vulnerability from remote"
+                },
+                "fullDescription": {
+                  "text": "A prefix used to check that a canonicalised path falls within another must be slash-terminated."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n",
+                  "markdown": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-023",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/path-injection",
+                "name": "java/path-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in path expression"
+                },
+                "fullDescription": {
+                  "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n",
+                  "markdown": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "external/cwe/cwe-023",
+                    "external/cwe/cwe-036",
+                    "external/cwe/cwe-073",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/polynomial-redos",
+                "name": "java/polynomial-redos",
+                "shortDescription": {
+                  "text": "Polynomial regular expression used on uncontrolled data"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/predictable-seed",
+                "name": "java/predictable-seed",
+                "shortDescription": {
+                  "text": "Use of a predictable seed in a secure random number generator"
+                },
+                "fullDescription": {
+                  "text": "Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n",
+                  "markdown": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-335",
+                    "external/cwe/cwe-337",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/redos",
+                "name": "java/redos",
+                "shortDescription": {
+                  "text": "Inefficient regular expression"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/ReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/regex-injection",
+                "name": "java/regex-injection",
+                "shortDescription": {
+                  "text": "Regular expression injection"
+                },
+                "fullDescription": {
+                  "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/rsa-without-oaep",
+                "name": "java/rsa-without-oaep",
+                "shortDescription": {
+                  "text": "Use of RSA algorithm without OAEP"
+                },
+                "fullDescription": {
+                  "text": "Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n",
+                  "markdown": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-780",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/server-side-template-injection",
+                "name": "java/server-side-template-injection",
+                "shortDescription": {
+                  "text": "Server-side template injection"
+                },
+                "fullDescription": {
+                  "text": "Untrusted input interpreted as a template can lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-1336",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spel-expression-injection",
+                "name": "java/spel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (Spring)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spring-disabled-csrf-protection",
+                "name": "java/spring-disabled-csrf-protection",
+                "shortDescription": {
+                  "text": "Disabled Spring CSRF protection"
+                },
+                "fullDescription": {
+                  "text": "Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n",
+                  "markdown": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-352",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/sql-injection",
+                "name": "java/sql-injection",
+                "shortDescription": {
+                  "text": "Query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n",
+                  "markdown": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-089",
+                    "external/cwe/cwe-564",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/ssrf",
+                "name": "java/ssrf",
+                "shortDescription": {
+                  "text": "Server-side request forgery"
+                },
+                "fullDescription": {
+                  "text": "Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n",
+                  "markdown": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-918",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/stack-trace-exposure",
+                "name": "java/stack-trace-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through a stack trace"
+                },
+                "fullDescription": {
+                  "text": "Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n",
+                  "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "external/cwe/cwe-497",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/static-initialization-vector",
+                "name": "java/static-initialization-vector",
+                "shortDescription": {
+                  "text": "Using a static initialization vector for encryption"
+                },
+                "fullDescription": {
+                  "text": "An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n",
+                  "markdown": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1204",
+                    "external/cwe/cwe-329",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code",
+                "name": "java/summary/lines-of-code",
+                "shortDescription": {
+                  "text": "Total lines of Java/Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java and Kotlin files. This is a useful metric of the size of a database. For all source files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "lines-of-code",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-java",
+                "name": "java/summary/lines-of-code-java",
+                "shortDescription": {
+                  "text": "Total lines of Java code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java files. This is a useful metric of the size of a database. For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-kotlin",
+                "name": "java/summary/lines-of-code-kotlin",
+                "shortDescription": {
+                  "text": "Total lines of Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/tainted-format-string",
+                "name": "java/tainted-format-string",
+                "shortDescription": {
+                  "text": "Use of externally-controlled format string"
+                },
+                "fullDescription": {
+                  "text": "Using external input in format strings can lead to exceptions or information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n",
+                  "markdown": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-134",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/tainted-numeric-cast",
+                "name": "java/tainted-numeric-cast",
+                "shortDescription": {
+                  "text": "User-controlled data in numeric cast"
+                },
+                "fullDescription": {
+                  "text": "Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9"
+                }
+              },
+              {
+                "id": "java/tainted-permissions-check",
+                "name": "java/tainted-permissions-check",
+                "shortDescription": {
+                  "text": "User-controlled data used in permissions check"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled data in a permissions check may result in inappropriate permissions being granted."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n",
+                  "markdown": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-290",
+                    "external/cwe/cwe-807",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/telemetry/external-libs",
+                "name": "java/telemetry/external-libs",
+                "shortDescription": {
+                  "text": "External libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of external libraries used in the code"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/extraction-information",
+                "name": "java/telemetry/extraction-information",
+                "shortDescription": {
+                  "text": "Java extraction information"
+                },
+                "fullDescription": {
+                  "text": "Information about the extraction for a Java database"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api",
+                "name": "java/telemetry/supported-external-api",
+                "shortDescription": {
+                  "text": "Usage of supported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of supported 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sinks",
+                "name": "java/telemetry/supported-external-api-sinks",
+                "shortDescription": {
+                  "text": "Supported sinks in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sinks. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sources",
+                "name": "java/telemetry/supported-external-api-sources",
+                "shortDescription": {
+                  "text": "Supported sources in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sources. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-taint",
+                "name": "java/telemetry/supported-external-api-taint",
+                "shortDescription": {
+                  "text": "Supported flow steps in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as flow steps. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/unsupported-external-api",
+                "name": "java/telemetry/unsupported-external-api",
+                "shortDescription": {
+                  "text": "Usage of unsupported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/unsafe-deserialization",
+                "name": "java/unsafe-deserialization",
+                "shortDescription": {
+                  "text": "Deserialization of user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n",
+                  "markdown": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-502",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/unsafe-hostname-verification",
+                "name": "java/unsafe-hostname-verification",
+                "shortDescription": {
+                  "text": "Unsafe hostname verification"
+                },
+                "fullDescription": {
+                  "text": "Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql",
+                  "precision": "high",
+                  "security-severity": "5.9"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-forward",
+                "name": "java/unvalidated-url-forward",
+                "shortDescription": {
+                  "text": "URL forward from a remote source"
+                },
+                "fullDescription": {
+                  "text": "URL forward based on unvalidated user input may cause file information disclosure."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n",
+                  "markdown": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-552",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-552/UrlForward.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-redirection",
+                "name": "java/unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "URL redirection from remote source"
+                },
+                "fullDescription": {
+                  "text": "URL redirection based on unvalidated user-input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/weak-cryptographic-algorithm",
+                "name": "java/weak-cryptographic-algorithm",
+                "shortDescription": {
+                  "text": "Use of a broken or risky cryptographic algorithm"
+                },
+                "fullDescription": {
+                  "text": "Using broken or weak cryptographic algorithms can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n",
+                  "markdown": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "external/cwe/cwe-328",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/world-writable-file-read",
+                "name": "java/world-writable-file-read",
+                "shortDescription": {
+                  "text": "Reading from a world writable file"
+                },
+                "fullDescription": {
+                  "text": "Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n",
+                  "markdown": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-732",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/xml/xpath-injection",
+                "name": "java/xml/xpath-injection",
+                "shortDescription": {
+                  "text": "XPath injection"
+                },
+                "fullDescription": {
+                  "text": "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n",
+                  "markdown": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-643",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xslt-injection",
+                "name": "java/xslt-injection",
+                "shortDescription": {
+                  "text": "XSLT transformation with user-controlled stylesheet"
+                },
+                "fullDescription": {
+                  "text": "Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xss",
+                "name": "java/xss",
+                "shortDescription": {
+                  "text": "Cross-site scripting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-079/XSS.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/xxe",
+                "name": "java/xxe",
+                "shortDescription": {
+                  "text": "Resolving XML external entity in user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n",
+                  "markdown": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-611",
+                    "external/cwe/cwe-776",
+                    "external/cwe/cwe-827",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-611/XXE.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/zipslip",
+                "name": "java/zipslip",
+                "shortDescription": {
+                  "text": "Arbitrary file access during archive extraction (\"Zip Slip\")"
+                },
+                "fullDescription": {
+                  "text": "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n",
+                  "markdown": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              }
+            ]
+          },
+          {
+            "name": "codeql/java-all",
+            "semanticVersion": "4.2.0+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          },
+          {
+            "name": "codeql/threat-models",
+            "semanticVersion": "1.0.11+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          }
+        ]
+      },
+      "conversion": {
+        "tool": {
+          "driver": {
+            "name": "GitHub Code Scanning"
+          }
+        }
+      },
+      "versionControlProvenance": [
+        {
+          "repositoryUri": "https://github.com/hintwatermelon/roller",
+          "revisionId": "ae178afba90652edeb2b997a6416910684d8d742",
+          "branch": "refs/heads/master"
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+            "index": 0
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+            "index": 1
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+            "index": 2
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+            "index": 3
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+            "index": 4
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+            "index": 5
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+            "index": 6
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+            "index": 7
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+            "index": 8
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+            "index": 9
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+            "index": 10
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+            "index": 11
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+            "index": 12
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+            "index": 13
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+            "index": 14
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+            "index": 15
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+            "index": 16
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+            "index": 17
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+            "index": 18
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+            "index": 19
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+            "index": 20
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+            "index": 21
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+            "index": 22
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+            "index": 23
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+            "index": 24
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+            "index": 25
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+            "index": 26
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+            "index": 27
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+            "index": 28
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+            "index": 29
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+            "index": 30
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+            "index": 31
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+            "index": 32
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+            "index": 33
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+            "index": 34
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+            "index": 35
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+            "index": 36
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+            "index": 37
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+            "index": 38
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+            "index": 39
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+            "index": 40
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 133,
+                  "startColumn": 59,
+                  "endLine": 133,
+                  "endColumn": 76
+                }
+              }
+            }
+          ],
+          "correlationGuid": "aa4c5176-3f0c-485c-9bdc-1c9cd2023d09",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a43352b656264e63:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 88
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 59,
+                            "endLine": 133,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "sanetizedFolderID"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/8",
+            "github/alertNumber": 8
+          }
+        },
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9a544acb-9e25-40b7-84ea-6f48b454f3fb",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/9",
+            "github/alertNumber": 9
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1).\nPotential Insecure randomness due to a [Insecure randomness source.](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                  "index": 2
+                },
+                "region": {
+                  "startLine": 121,
+                  "startColumn": 36,
+                  "endLine": 121,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7483e8-25f4-41a7-bc67-785e5ccb280d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ebe2869d4f29cd7e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 161,
+                            "startColumn": 39,
+                            "endLine": 161,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 36,
+                            "endLine": 162,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 39,
+                            "endLine": 110,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 111,
+                            "startColumn": 44,
+                            "endLine": 111,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 161,
+                  "startColumn": 39,
+                  "endLine": 161,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 110,
+                  "startColumn": 39,
+                  "endLine": 110,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/10",
+            "github/alertNumber": 10
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 122,
+                  "startColumn": 29,
+                  "endLine": 122,
+                  "endColumn": 41
+                }
+              }
+            }
+          ],
+          "correlationGuid": "42e549d2-c275-4945-bf40-d6bebb689d9d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a706f813f09b282d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 371,
+                            "startColumn": 39,
+                            "endLine": 371,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 33,
+                            "endLine": 121,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 29,
+                            "endLine": 122,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/11",
+            "github/alertNumber": 11
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 130,
+                  "startColumn": 32,
+                  "endLine": 130,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d090be49-7c07-4548-be1c-d6a277e20f2e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a7e8967f80765bad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 372,
+                            "startColumn": 42,
+                            "endLine": 372,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 36,
+                            "endLine": 129,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 32,
+                            "endLine": 130,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/12",
+            "github/alertNumber": 12
+          }
+        },
+        {
+          "ruleId": "java/unvalidated-url-redirection",
+          "rule": {
+            "id": "java/unvalidated-url-redirection",
+            "index": 66,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Untrusted URL redirection depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5bb7aec0-639e-4365-93a7-e41e00f18ec6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/13",
+            "github/alertNumber": 13
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 188,
+                  "startColumn": 26,
+                  "endLine": 190,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ba9b5766-17b3-4de4-a1b7-79df1e478644",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cccb6385104d4c00:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/14",
+            "github/alertNumber": 14
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 194,
+                  "startColumn": 26,
+                  "endLine": 196,
+                  "endColumn": 61
+                }
+              }
+            }
+          ],
+          "correlationGuid": "6ef05652-94ad-44b8-8e9c-f77e493a8e2d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "df1362749a3e519c:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/15",
+            "github/alertNumber": 15
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 247,
+                  "startColumn": 22,
+                  "endLine": 250,
+                  "endColumn": 28
+                }
+              }
+            }
+          ],
+          "correlationGuid": "e116e0f4-cd03-4270-ab36-3b83f00ee00e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "871c3cf166627615:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/16",
+            "github/alertNumber": 16
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 276,
+                  "startColumn": 23,
+                  "endLine": 276,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "db4c7ae4-0eda-47d9-aa17-02047f46b732",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797cd6a2e95a76a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/17",
+            "github/alertNumber": 17
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 283,
+                  "startColumn": 22,
+                  "endLine": 283,
+                  "endColumn": 44
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f804f4f-770f-4999-b2a6-e36f3f91f614",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d06c87887323661e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/18",
+            "github/alertNumber": 18
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 302,
+                  "startColumn": 23,
+                  "endLine": 302,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ed3376eb-e089-4f43-9bf8-adbd4676887b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797b1b59b078d8f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/19",
+            "github/alertNumber": 19
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 307,
+                  "startColumn": 22,
+                  "endLine": 308,
+                  "endColumn": 68
+                }
+              }
+            }
+          ],
+          "correlationGuid": "47fdf168-4a30-4479-a4ee-b5810a9bee24",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d90bf8993f560aa:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/20",
+            "github/alertNumber": 20
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1).\nCross-site scripting vulnerability due to a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                  "index": 15
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 21,
+                  "endLine": 66,
+                  "endColumn": 56
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1b6fba72-5d1f-48f1-9f91-ddaa6ff07f20",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e41b363d572cf6d8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 26,
+                            "endLine": 72,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 13,
+                            "endLine": 87,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 3,
+                            "endLine": 87,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 73,
+                            "startColumn": 26,
+                            "endLine": 73,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 13,
+                            "endLine": 94,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 3,
+                            "endLine": 94,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 26,
+                  "endLine": 72,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 73,
+                  "startColumn": 26,
+                  "endLine": 73,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/21",
+            "github/alertNumber": 21
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 81,
+                  "startColumn": 37,
+                  "endLine": 81,
+                  "endColumn": 50
+                }
+              }
+            }
+          ],
+          "correlationGuid": "41fb6220-c807-46cf-8acf-a02ad395aa77",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cf23dfd372a61ea3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 81,
+                            "startColumn": 37,
+                            "endLine": 81,
+                            "endColumn": 50
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/22",
+            "github/alertNumber": 22
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 86,
+                  "startColumn": 50,
+                  "endLine": 86,
+                  "endColumn": 63
+                }
+              }
+            }
+          ],
+          "correlationGuid": "19ac3ae8-6aee-4c71-83e5-3ad805b42e72",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "103f70b0007fdfad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 50,
+                            "endLine": 86,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/23",
+            "github/alertNumber": 23
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 112,
+                  "startColumn": 21,
+                  "endLine": 112,
+                  "endColumn": 34
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7ccb79-f108-47d2-ba9c-03ae9ca99d04",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9a91c0ae5a3ea9d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 112,
+                            "startColumn": 21,
+                            "endLine": 112,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/24",
+            "github/alertNumber": 24
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 18
+                },
+                "region": {
+                  "startLine": 129,
+                  "startColumn": 49,
+                  "endLine": 129,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "3088f3ec-6971-4d9e-98fc-8f02dfab52c3",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9449418b46954eb:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 21,
+                            "endLine": 125,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 126,
+                            "startColumn": 41,
+                            "endLine": 126,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 47,
+                  "startColumn": 18,
+                  "endLine": 47,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/27",
+            "github/alertNumber": 27
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 19
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 48,
+                  "endLine": 147,
+                  "endColumn": 58
+                }
+              }
+            }
+          ],
+          "correlationGuid": "16ab249d-cb7d-4003-bb25-4237836305d5",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77597f482b4d5d50:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 266,
+                            "startColumn": 16,
+                            "endLine": 266,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 30,
+                            "endLine": 139,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "getUploadedFiles(...) : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 147,
+                            "startColumn": 48,
+                            "endLine": 147,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/25",
+            "github/alertNumber": 25
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 19
+                },
+                "region": {
+                  "startLine": 175,
+                  "startColumn": 33,
+                  "endLine": 175,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "485410bf-8cbf-48eb-8680-82e1d52843ff",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "2b2bb9cdd3635201:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 173,
+                            "startColumn": 45,
+                            "endLine": 173,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/26",
+            "github/alertNumber": 26
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with 'b' and with many repetitions of 'b'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 62,
+                  "startColumn": 52,
+                  "endLine": 62,
+                  "endColumn": 55
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f63c4a7-4170-47c8-917b-9ca3a0115f38",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f22c138a13ff3a37:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 33,
+                  "endLine": 38,
+                  "endColumn": 51
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/28",
+            "github/alertNumber": 28
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of '
a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 61,
+                  "startColumn": 51,
+                  "endLine": 61,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9b0a3a9-8833-461c-93ec-3a12c3a72f91",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "80ff14788737bca8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 22,
+                  "endLine": 38,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 29,
+                  "endLine": 38,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/29",
+            "github/alertNumber": 29
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of 'a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 57,
+                  "endLine": 68,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9eb5f85-f753-42b1-8c6b-3bd3ef5db56e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d309d833fb2b46b:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 24,
+                  "endLine": 41,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 31,
+                  "endLine": 41,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/30",
+            "github/alertNumber": 30
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 60,
+                  "startColumn": 88,
+                  "endLine": 60,
+                  "endColumn": 90
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/31",
+            "github/alertNumber": 31
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of ' '."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 179,
+                  "startColumn": 68,
+                  "endLine": 179,
+                  "endColumn": 77
+                }
+              }
+            }
+          ],
+          "correlationGuid": "0068dc73-44a6-456e-83a7-5fe04b5899e9",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f7eba83359081407:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 77,
+                  "endLine": 66,
+                  "endColumn": 81
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/32",
+            "github/alertNumber": 32
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of '!'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 235,
+                  "startColumn": 67,
+                  "endLine": 235,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "b4530215-fde8-4f7d-8718-57bc4d310a08",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f77ea2ce3b67490a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 67,
+                  "endLine": 68,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/33",
+            "github/alertNumber": 33
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](2) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](4) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](5) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](6) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](7) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](8) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](8) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 249,
+                  "startColumn": 83,
+                  "endLine": 249,
+                  "endColumn": 93
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ebd7d4fc-18fe-4894-ad98-05b92939b9a6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d2f751956bb0d070:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 19,
+                            "endLine": 66,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 67,
+                            "startColumn": 16,
+                            "endLine": 67,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "getUserName(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 30,
+                            "endLine": 94,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 62,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 109,
+                            "startColumn": 19,
+                            "endLine": 109,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 16,
+                            "endLine": 110,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getOpenIdUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 47,
+                            "endLine": 86,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "openidurl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 30,
+                            "endLine": 131,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 132,
+                            "startColumn": 63,
+                            "endLine": 132,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 73,
+                  "endLine": 70,
+                  "endColumn": 75
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 98,
+                  "endLine": 70,
+                  "endColumn": 103
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 8,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/34",
+            "github/alertNumber": 34
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 290,
+                  "startColumn": 103,
+                  "endLine": 290,
+                  "endColumn": 106
+                }
+              }
+            }
+          ],
+          "correlationGuid": "98c49d16-a691-4397-87d1-0bebd5d9982a",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ea89bbca86ba4590:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/35",
+            "github/alertNumber": 35
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 308,
+                  "startColumn": 40,
+                  "endLine": 308,
+                  "endColumn": 43
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5b53c901-1227-4899-94b0-02de15b8ef1b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7fd366a6b63e95c3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/36",
+            "github/alertNumber": 36
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 36,
+                  "endLine": 49,
+                  "endColumn": 51
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1923e2ac-ef5c-43bf-b786-86bf2b341004",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77bb988d556b367:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/37",
+            "github/alertNumber": 37
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 36,
+                  "endLine": 66,
+                  "endColumn": 38
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f7e56bbc-467c-4e07-a916-b3b3c362a229",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e97d22a8b2a0b291:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/38",
+            "github/alertNumber": 38
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 71,
+                  "startColumn": 36,
+                  "endLine": 71,
+                  "endColumn": 39
+                }
+              }
+            }
+          ],
+          "correlationGuid": "49c124bf-2a10-4623-9976-3376d4c86436",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9713a8da9d6dd391:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/39",
+            "github/alertNumber": 39
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                  "index": 32
+                },
+                "region": {
+                  "startLine": 438,
+                  "startColumn": 48,
+                  "endLine": 438,
+                  "endColumn": 53
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d8bfdf72-6bfc-410e-8a9f-acdb38e8d713",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fca1ccdb5c516f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 55,
+                            "startColumn": 30,
+                            "endLine": 55,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 204,
+                            "startColumn": 16,
+                            "endLine": 204,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 101,
+                            "startColumn": 19,
+                            "endLine": 101,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 16,
+                            "endLine": 102,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this.bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getBannedwordslist(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 427,
+                            "startColumn": 9,
+                            "endLine": 427,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 53,
+                            "endLine": 431,
+                            "endColumn": 83
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 33,
+                            "endLine": 431,
+                            "endColumn": 90
+                          }
+                        },
+                        "message": {
+                          "text": "new StringTokenizer(...) : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "toker : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "nextToken(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 438,
+                            "startColumn": 48,
+                            "endLine": 438,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 55,
+                  "startColumn": 30,
+                  "endLine": 55,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/40",
+            "github/alertNumber": 40
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                  "index": 35
+                },
+                "region": {
+                  "startLine": 230,
+                  "startColumn": 57,
+                  "endLine": 230,
+                  "endColumn": 72
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9d0ad640-089c-4ee1-b3ed-dfbe72c4e5b1",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "248fddc681a75a01:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 43,
+                            "endLine": 63,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 44,
+                            "endLine": 74,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/41",
+            "github/alertNumber": 41
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                  "index": 38
+                },
+                "region": {
+                  "startLine": 57,
+                  "startColumn": 57,
+                  "endLine": 57,
+                  "endColumn": 69
+                }
+              }
+            }
+          ],
+          "correlationGuid": "839215e6-bef4-4426-97bf-80d3555da65d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "c240ab2d5b41ea5f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 23,
+                            "endLine": 72,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 315,
+                            "startColumn": 16,
+                            "endLine": 315,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 223,
+                            "startColumn": 19,
+                            "endLine": 223,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 224,
+                            "startColumn": 16,
+                            "endLine": 224,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "enclosureURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getEnclosureURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 48,
+                            "startColumn": 52,
+                            "endLine": 48,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 65,
+                            "endLine": 57,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 57,
+                            "endLine": 57,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "new URL(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 23,
+                  "endLine": 72,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/42",
+            "github/alertNumber": 42
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 24,
+                  "endLine": 147,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d722e768-31a0-417b-9b87-847c29a58084",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7c1f69188f18e239:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/43",
+            "github/alertNumber": 43
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user.\n[Error information](2) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 221,
+                  "startColumn": 24,
+                  "endLine": 221,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "4df5ee6f-b915-488c-ba43-35a70984f360",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "517a7a49b664a801:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 214,
+                  "startColumn": 21,
+                  "endLine": 214,
+                  "endColumn": 35
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/44",
+            "github/alertNumber": 44
+          }
+        }
+      ],
+      "automationDetails": {
+        "id": ".github/workflows/codeql-analysis.yml:analyze/language:java/"
+      },
+      "properties": {
+        "codeqlConfigSummary": {}
+      }
+    }
+  ]
+}
diff --git a/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-3.sarif b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-3.sarif
new file mode 100644
index 000000000..046b9ccda
--- /dev/null
+++ b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-3.sarif
@@ -0,0 +1,4535 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "semanticVersion": "2.19.3"
+        },
+        "extensions": [
+          {
+            "name": "codeql/javascript-queries",
+            "semanticVersion": "1.2.3+39a67b6e2e6490a9bd010db50e148f647765e9f7",
+            "rules": [
+              {
+                "id": "js/actions/actions-artifact-leak",
+                "name": "js/actions/actions-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in GitHub Actions artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a GitHub Actions artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n",
+                  "markdown": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/actions/command-injection",
+                "name": "js/actions/command-injection",
+                "shortDescription": {
+                  "text": "Expression injection in Actions"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "actions",
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/angular/disabling-sce",
+                "name": "js/angular/disabling-sce",
+                "shortDescription": {
+                  "text": "Disabling SCE"
+                },
+                "fullDescription": {
+                  "text": "Disabling strict contextual escaping (SCE) can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-116",
+                    "frameworks/angularjs",
+                    "maintainability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DisablingSce.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/angular/double-compilation",
+                "name": "js/angular/double-compilation",
+                "shortDescription": {
+                  "text": "Double compilation"
+                },
+                "fullDescription": {
+                  "text": "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n",
+                  "markdown": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1176",
+                    "frameworks/angularjs",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DoubleCompilation.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/angular/insecure-url-whitelist",
+                "name": "js/angular/insecure-url-whitelist",
+                "shortDescription": {
+                  "text": "Insecure URL whitelist"
+                },
+                "fullDescription": {
+                  "text": "URL whitelists that are too permissive can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n",
+                  "markdown": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-183",
+                    "external/cwe/cwe-625",
+                    "frameworks/angularjs",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/bad-code-sanitization",
+                "name": "js/bad-code-sanitization",
+                "shortDescription": {
+                  "text": "Improper code sanitization"
+                },
+                "fullDescription": {
+                  "text": "Escaping code as HTML does not provide protection against code injection."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/bad-tag-filter",
+                "name": "js/bad-tag-filter",
+                "shortDescription": {
+                  "text": "Bad HTML filtering regexp"
+                },
+                "fullDescription": {
+                  "text": "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n",
+                  "markdown": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-080",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-184",
+                    "external/cwe/cwe-185",
+                    "external/cwe/cwe-186",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/BadTagFilter.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/biased-cryptographic-random",
+                "name": "js/biased-cryptographic-random",
+                "shortDescription": {
+                  "text": "Creating biased random numbers from a cryptographically secure source"
+                },
+                "fullDescription": {
+                  "text": "Some mathematical operations on random numbers can cause bias in the results and compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n",
+                  "markdown": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-327/BadRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/build-artifact-leak",
+                "name": "js/build-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in build artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a build artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/case-sensitive-middleware-path",
+                "name": "js/case-sensitive-middleware-path",
+                "shortDescription": {
+                  "text": "Case-sensitive middleware path"
+                },
+                "fullDescription": {
+                  "text": "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n",
+                  "markdown": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-178",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql",
+                  "precision": "high",
+                  "security-severity": "7.3"
+                }
+              },
+              {
+                "id": "js/clear-text-cookie",
+                "name": "js/clear-text-cookie",
+                "shortDescription": {
+                  "text": "Clear text transmission of sensitive cookie"
+                },
+                "fullDescription": {
+                  "text": "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-311",
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/clear-text-logging",
+                "name": "js/clear-text-logging",
+                "shortDescription": {
+                  "text": "Clear-text logging of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Logging sensitive information without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n",
+                  "markdown": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-359",
+                    "external/cwe/cwe-532",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextLogging.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/clear-text-storage-of-sensitive-data",
+                "name": "js/clear-text-storage-of-sensitive-data",
+                "shortDescription": {
+                  "text": "Clear text storage of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Sensitive information stored without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextStorage.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/client-exposed-cookie",
+                "name": "js/client-exposed-cookie",
+                "shortDescription": {
+                  "text": "Sensitive server cookie exposed to the client"
+                },
+                "fullDescription": {
+                  "text": "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n",
+                  "markdown": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1004",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/client-side-unvalidated-url-redirection",
+                "name": "js/client-side-unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "Client-side URL redirect"
+                },
+                "fullDescription": {
+                  "text": "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/code-injection",
+                "name": "js/code-injection",
+                "shortDescription": {
+                  "text": "Code injection"
+                },
+                "fullDescription": {
+                  "text": "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-095",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/CodeInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/command-line-injection",
+                "name": "js/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-078/CommandInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/cors-misconfiguration-for-credentials",
+                "name": "js/cors-misconfiguration-for-credentials",
+                "shortDescription": {
+                  "text": "CORS misconfiguration for credentials transfer"
+                },
+                "fullDescription": {
+                  "text": "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n",
+                  "markdown": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-346",
+                    "external/cwe/cwe-639",
+                    "external/cwe/cwe-942",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/cross-window-information-leak",
+                "name": "js/cross-window-information-leak",
+                "shortDescription": {
+                  "text": "Cross-window communication with unrestricted target origin"
+                },
+                "fullDescription": {
+                  "text": "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-201",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-201/PostMessageStar.ql",
+                  "precision": "high",
+                  "security-severity": "4.3"
+                }
+              },
+              {
+                "id": "js/disabling-certificate-validation",
+                "name": "js/disabling-certificate-validation",
+                "shortDescription": {
+                  "text": "Disabling certificate validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling cryptographic certificate validation can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/disabling-electron-websecurity",
+                "name": "js/disabling-electron-websecurity",
+                "shortDescription": {
+                  "text": "Disabling Electron webSecurity"
+                },
+                "fullDescription": {
+                  "text": "Disabling webSecurity can cause critical security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-79",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/DisablingWebSecurity.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/double-escaping",
+                "name": "js/double-escaping",
+                "shortDescription": {
+                  "text": "Double escaping or unescaping"
+                },
+                "fullDescription": {
+                  "text": "When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/enabling-electron-insecure-content",
+                "name": "js/enabling-electron-insecure-content",
+                "shortDescription": {
+                  "text": "Enabling Electron allowRunningInsecureContent"
+                },
+                "fullDescription": {
+                  "text": "Enabling allowRunningInsecureContent can allow remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n",
+                  "markdown": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-494",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/AllowRunningInsecureContent.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/exposure-of-private-files",
+                "name": "js/exposure-of-private-files",
+                "shortDescription": {
+                  "text": "Exposure of private files"
+                },
+                "fullDescription": {
+                  "text": "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n",
+                  "markdown": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-200",
+                    "external/cwe/cwe-219",
+                    "external/cwe/cwe-548",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql",
+                  "precision": "high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-domain",
+                "name": "js/functionality-from-untrusted-domain",
+                "shortDescription": {
+                  "text": "Untrusted domain used in script or other content"
+                },
+                "fullDescription": {
+                  "text": "Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-source",
+                "name": "js/functionality-from-untrusted-source",
+                "shortDescription": {
+                  "text": "Inclusion of functionality from an untrusted source"
+                },
+                "fullDescription": {
+                  "text": "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql",
+                  "precision": "high",
+                  "security-severity": "6"
+                }
+              },
+              {
+                "id": "js/hardcoded-credentials",
+                "name": "js/hardcoded-credentials",
+                "shortDescription": {
+                  "text": "Hard-coded credentials"
+                },
+                "fullDescription": {
+                  "text": "Hard-coding credentials in source code may enable an attacker to gain unauthorized access."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n",
+                  "markdown": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-259",
+                    "external/cwe/cwe-321",
+                    "external/cwe/cwe-798",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/host-header-forgery-in-email-generation",
+                "name": "js/host-header-forgery-in-email-generation",
+                "shortDescription": {
+                  "text": "Host header poisoning in email generation"
+                },
+                "fullDescription": {
+                  "text": "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n",
+                  "markdown": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-640",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/html-constructed-from-input",
+                "name": "js/html-constructed-from-input",
+                "shortDescription": {
+                  "text": "Unsafe HTML constructed from library input"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/identity-replacement",
+                "name": "js/identity-replacement",
+                "shortDescription": {
+                  "text": "Replacement of a substring with itself"
+                },
+                "fullDescription": {
+                  "text": "Replacing a substring with itself has no effect and may indicate a mistake."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/RegExp/IdentityReplacement.ql",
+                  "precision": "very-high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/incomplete-hostname-regexp",
+                "name": "js/incomplete-hostname-regexp",
+                "shortDescription": {
+                  "text": "Incomplete regular expression for hostnames"
+                },
+                "fullDescription": {
+                  "text": "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/incomplete-html-attribute-sanitization",
+                "name": "js/incomplete-html-attribute-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete HTML attribute sanitization"
+                },
+                "fullDescription": {
+                  "text": "Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/incomplete-multi-character-sanitization",
+                "name": "js/incomplete-multi-character-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete multi-character sanitization"
+                },
+                "fullDescription": {
+                  "text": "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/\n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection",
+                "name": "java/android/fragment-injection",
+                "shortDescription": {
+                  "text": "Android fragment injection"
+                },
+                "fullDescription": {
+                  "text": "Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection-preference-activity",
+                "name": "java/android/fragment-injection-preference-activity",
+                "shortDescription": {
+                  "text": "Android fragment injection in PreferenceActivity"
+                },
+                "fullDescription": {
+                  "text": "An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/implicit-pendingintents",
+                "name": "java/android/implicit-pendingintents",
+                "shortDescription": {
+                  "text": "Use of implicit PendingIntents"
+                },
+                "fullDescription": {
+                  "text": "Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n",
+                  "markdown": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-927",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/implicitly-exported-component",
+                "name": "java/android/implicitly-exported-component",
+                "shortDescription": {
+                  "text": "Implicitly exported Android component"
+                },
+                "fullDescription": {
+                  "text": "Android components with an '' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/insecure-local-authentication",
+                "name": "java/android/insecure-local-authentication",
+                "shortDescription": {
+                  "text": "Insecure local authentication"
+                },
+                "fullDescription": {
+                  "text": "Local authentication that does not make use of a `CryptoObject` can be bypassed."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n",
+                  "markdown": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-287",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql",
+                  "precision": "high",
+                  "security-severity": "4.4"
+                }
+              },
+              {
+                "id": "java/android/intent-redirection",
+                "name": "java/android/intent-redirection",
+                "shortDescription": {
+                  "text": "Android Intent redirection"
+                },
+                "fullDescription": {
+                  "text": "Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n",
+                  "markdown": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "external/cwe/cwe-940",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/intent-uri-permission-manipulation",
+                "name": "java/android/intent-uri-permission-manipulation",
+                "shortDescription": {
+                  "text": "Intent URI permission manipulation"
+                },
+                "fullDescription": {
+                  "text": "Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-266",
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/android/unsafe-content-uri-resolution",
+                "name": "java/android/unsafe-content-uri-resolution",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in content resolution"
+                },
+                "fullDescription": {
+                  "text": "Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n",
+                  "markdown": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-441",
+                    "external/cwe/cwe-610",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/webview-debugging-enabled",
+                "name": "java/android/webview-debugging-enabled",
+                "shortDescription": {
+                  "text": "Android Webview debugging enabled"
+                },
+                "fullDescription": {
+                  "text": "Enabling Webview debugging in production builds can expose entry points or leak sensitive information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/cleartext-storage-in-cookie",
+                "name": "java/cleartext-storage-in-cookie",
+                "shortDescription": {
+                  "text": "Cleartext storage of sensitive information in cookie"
+                },
+                "fullDescription": {
+                  "text": "Storing sensitive information in cleartext can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n",
+                  "markdown": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-315",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/command-line-injection",
+                "name": "java/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line is vulnerable to malicious changes in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/concatenated-command-line",
+                "name": "java/concatenated-command-line",
+                "shortDescription": {
+                  "text": "Building a command line with string concatenation"
+                },
+                "fullDescription": {
+                  "text": "Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/error-message-exposure",
+                "name": "java/error-message-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through an error message"
+                },
+                "fullDescription": {
+                  "text": "Information from an error message propagates to an external user. Error messages can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n",
+                  "markdown": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/groovy-injection",
+                "name": "java/groovy-injection",
+                "shortDescription": {
+                  "text": "Groovy Language injection"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Groovy script may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/http-response-splitting",
+                "name": "java/http-response-splitting",
+                "shortDescription": {
+                  "text": "HTTP response splitting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/implicit-cast-in-compound-assignment",
+                "name": "java/implicit-cast-in-compound-assignment",
+                "shortDescription": {
+                  "text": "Implicit narrowing conversion in compound assignment"
+                },
+                "fullDescription": {
+                  "text": "Compound assignment statements (for example 'intvar += longvar') that implicitly cast a value of a wider type to a narrower type may result in information loss and numeric errors such as overflows."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-190",
+                    "external/cwe/cwe-192",
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Likely%20Bugs/Arithmetic/InformationLoss.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/improper-intent-verification",
+                "name": "java/improper-intent-verification",
+                "shortDescription": {
+                  "text": "Improper verification of intent by broadcast receiver"
+                },
+                "fullDescription": {
+                  "text": "A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n",
+                  "markdown": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-925",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/improper-webview-certificate-validation",
+                "name": "java/improper-webview-certificate-validation",
+                "shortDescription": {
+                  "text": "Android `WebView` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insecure-bean-validation",
+                "name": "java/insecure-bean-validation",
+                "shortDescription": {
+                  "text": "Insecure Bean Validation"
+                },
+                "fullDescription": {
+                  "text": "User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/insecure-cookie",
+                "name": "java/insecure-cookie",
+                "shortDescription": {
+                  "text": "Failure to use secure cookies"
+                },
+                "fullDescription": {
+                  "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n",
+                  "markdown": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/insecure-ldap-auth",
+                "name": "java/insecure-ldap-auth",
+                "shortDescription": {
+                  "text": "Insecure LDAP authentication"
+                },
+                "fullDescription": {
+                  "text": "LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers"
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-522",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/insecure-randomness",
+                "name": "java/insecure-randomness",
+                "shortDescription": {
+                  "text": "Insecure randomness"
+                },
+                "fullDescription": {
+                  "text": "Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-330",
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/insecure-trustmanager",
+                "name": "java/insecure-trustmanager",
+                "shortDescription": {
+                  "text": "`TrustManager` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insufficient-key-size",
+                "name": "java/insufficient-key-size",
+                "shortDescription": {
+                  "text": "Use of a cryptographic algorithm with insufficient key size"
+                },
+                "fullDescription": {
+                  "text": "Using cryptographic algorithms with too small a key size can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n",
+                  "markdown": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-326",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/jexl-expression-injection",
+                "name": "java/jexl-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (JEXL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/jhipster-prng",
+                "name": "java/jhipster-prng",
+                "shortDescription": {
+                  "text": "Detect JHipster Generator Vulnerability CVE-2019-16303"
+                },
+                "fullDescription": {
+                  "text": "Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/jndi-injection",
+                "name": "java/jndi-injection",
+                "shortDescription": {
+                  "text": "JNDI lookup with user-controlled name"
+                },
+                "fullDescription": {
+                  "text": "Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/ldap-injection",
+                "name": "java/ldap-injection",
+                "shortDescription": {
+                  "text": "LDAP query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n",
+                  "markdown": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-090",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/maven/dependency-upon-bintray",
+                "name": "java/maven/dependency-upon-bintray",
+                "shortDescription": {
+                  "text": "Depending upon JCenter/Bintray as an artifact repository"
+                },
+                "fullDescription": {
+                  "text": "Using a deprecated artifact repository may eventually give attackers access for a supply chain attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n",
+                  "markdown": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1104",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "java/maven/non-https-url",
+                "name": "java/maven/non-https-url",
+                "shortDescription": {
+                  "text": "Failure to use HTTPS or SFTP URL in Maven artifact upload/download"
+                },
+                "fullDescription": {
+                  "text": "Non-HTTPS connections can be intercepted by third parties."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n",
+                  "markdown": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-300",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-494",
+                    "external/cwe/cwe-829",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/missing-jwt-signature-check",
+                "name": "java/missing-jwt-signature-check",
+                "shortDescription": {
+                  "text": "Missing JWT signature check"
+                },
+                "fullDescription": {
+                  "text": "Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n",
+                  "markdown": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-347",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/mvel-expression-injection",
+                "name": "java/mvel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (MVEL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled MVEL expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/netty-http-request-or-response-splitting",
+                "name": "java/netty-http-request-or-response-splitting",
+                "shortDescription": {
+                  "text": "Disabled Netty HTTP header validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "external/cwe/cwe-93",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/ognl-injection",
+                "name": "java/ognl-injection",
+                "shortDescription": {
+                  "text": "OGNL Expression Language statement with user-controlled input"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n",
+                  "markdown": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-917",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/overly-large-range",
+                "name": "java/overly-large-range",
+                "shortDescription": {
+                  "text": "Overly permissive regular expression range"
+                },
+                "fullDescription": {
+                  "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/partial-path-traversal-from-remote",
+                "name": "java/partial-path-traversal-from-remote",
+                "shortDescription": {
+                  "text": "Partial path traversal vulnerability from remote"
+                },
+                "fullDescription": {
+                  "text": "A prefix used to check that a canonicalised path falls within another must be slash-terminated."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n",
+                  "markdown": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-023",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/path-injection",
+                "name": "java/path-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in path expression"
+                },
+                "fullDescription": {
+                  "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n",
+                  "markdown": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "external/cwe/cwe-023",
+                    "external/cwe/cwe-036",
+                    "external/cwe/cwe-073",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/polynomial-redos",
+                "name": "java/polynomial-redos",
+                "shortDescription": {
+                  "text": "Polynomial regular expression used on uncontrolled data"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/predictable-seed",
+                "name": "java/predictable-seed",
+                "shortDescription": {
+                  "text": "Use of a predictable seed in a secure random number generator"
+                },
+                "fullDescription": {
+                  "text": "Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n",
+                  "markdown": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-335",
+                    "external/cwe/cwe-337",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/redos",
+                "name": "java/redos",
+                "shortDescription": {
+                  "text": "Inefficient regular expression"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/ReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/regex-injection",
+                "name": "java/regex-injection",
+                "shortDescription": {
+                  "text": "Regular expression injection"
+                },
+                "fullDescription": {
+                  "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/rsa-without-oaep",
+                "name": "java/rsa-without-oaep",
+                "shortDescription": {
+                  "text": "Use of RSA algorithm without OAEP"
+                },
+                "fullDescription": {
+                  "text": "Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n",
+                  "markdown": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-780",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/server-side-template-injection",
+                "name": "java/server-side-template-injection",
+                "shortDescription": {
+                  "text": "Server-side template injection"
+                },
+                "fullDescription": {
+                  "text": "Untrusted input interpreted as a template can lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-1336",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spel-expression-injection",
+                "name": "java/spel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (Spring)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spring-disabled-csrf-protection",
+                "name": "java/spring-disabled-csrf-protection",
+                "shortDescription": {
+                  "text": "Disabled Spring CSRF protection"
+                },
+                "fullDescription": {
+                  "text": "Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n",
+                  "markdown": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-352",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/sql-injection",
+                "name": "java/sql-injection",
+                "shortDescription": {
+                  "text": "Query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n",
+                  "markdown": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-089",
+                    "external/cwe/cwe-564",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/ssrf",
+                "name": "java/ssrf",
+                "shortDescription": {
+                  "text": "Server-side request forgery"
+                },
+                "fullDescription": {
+                  "text": "Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n",
+                  "markdown": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-918",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/stack-trace-exposure",
+                "name": "java/stack-trace-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through a stack trace"
+                },
+                "fullDescription": {
+                  "text": "Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n",
+                  "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "external/cwe/cwe-497",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/static-initialization-vector",
+                "name": "java/static-initialization-vector",
+                "shortDescription": {
+                  "text": "Using a static initialization vector for encryption"
+                },
+                "fullDescription": {
+                  "text": "An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n",
+                  "markdown": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1204",
+                    "external/cwe/cwe-329",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code",
+                "name": "java/summary/lines-of-code",
+                "shortDescription": {
+                  "text": "Total lines of Java/Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java and Kotlin files. This is a useful metric of the size of a database. For all source files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "lines-of-code",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-java",
+                "name": "java/summary/lines-of-code-java",
+                "shortDescription": {
+                  "text": "Total lines of Java code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java files. This is a useful metric of the size of a database. For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-kotlin",
+                "name": "java/summary/lines-of-code-kotlin",
+                "shortDescription": {
+                  "text": "Total lines of Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/tainted-format-string",
+                "name": "java/tainted-format-string",
+                "shortDescription": {
+                  "text": "Use of externally-controlled format string"
+                },
+                "fullDescription": {
+                  "text": "Using external input in format strings can lead to exceptions or information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n",
+                  "markdown": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-134",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/tainted-numeric-cast",
+                "name": "java/tainted-numeric-cast",
+                "shortDescription": {
+                  "text": "User-controlled data in numeric cast"
+                },
+                "fullDescription": {
+                  "text": "Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9"
+                }
+              },
+              {
+                "id": "java/tainted-permissions-check",
+                "name": "java/tainted-permissions-check",
+                "shortDescription": {
+                  "text": "User-controlled data used in permissions check"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled data in a permissions check may result in inappropriate permissions being granted."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n",
+                  "markdown": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-290",
+                    "external/cwe/cwe-807",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/telemetry/external-libs",
+                "name": "java/telemetry/external-libs",
+                "shortDescription": {
+                  "text": "External libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of external libraries used in the code"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/extraction-information",
+                "name": "java/telemetry/extraction-information",
+                "shortDescription": {
+                  "text": "Java extraction information"
+                },
+                "fullDescription": {
+                  "text": "Information about the extraction for a Java database"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api",
+                "name": "java/telemetry/supported-external-api",
+                "shortDescription": {
+                  "text": "Usage of supported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of supported 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sinks",
+                "name": "java/telemetry/supported-external-api-sinks",
+                "shortDescription": {
+                  "text": "Supported sinks in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sinks. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sources",
+                "name": "java/telemetry/supported-external-api-sources",
+                "shortDescription": {
+                  "text": "Supported sources in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sources. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-taint",
+                "name": "java/telemetry/supported-external-api-taint",
+                "shortDescription": {
+                  "text": "Supported flow steps in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as flow steps. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/unsupported-external-api",
+                "name": "java/telemetry/unsupported-external-api",
+                "shortDescription": {
+                  "text": "Usage of unsupported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/unsafe-deserialization",
+                "name": "java/unsafe-deserialization",
+                "shortDescription": {
+                  "text": "Deserialization of user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n",
+                  "markdown": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-502",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/unsafe-hostname-verification",
+                "name": "java/unsafe-hostname-verification",
+                "shortDescription": {
+                  "text": "Unsafe hostname verification"
+                },
+                "fullDescription": {
+                  "text": "Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql",
+                  "precision": "high",
+                  "security-severity": "5.9"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-forward",
+                "name": "java/unvalidated-url-forward",
+                "shortDescription": {
+                  "text": "URL forward from a remote source"
+                },
+                "fullDescription": {
+                  "text": "URL forward based on unvalidated user input may cause file information disclosure."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n",
+                  "markdown": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-552",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-552/UrlForward.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-redirection",
+                "name": "java/unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "URL redirection from remote source"
+                },
+                "fullDescription": {
+                  "text": "URL redirection based on unvalidated user-input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/weak-cryptographic-algorithm",
+                "name": "java/weak-cryptographic-algorithm",
+                "shortDescription": {
+                  "text": "Use of a broken or risky cryptographic algorithm"
+                },
+                "fullDescription": {
+                  "text": "Using broken or weak cryptographic algorithms can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n",
+                  "markdown": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "external/cwe/cwe-328",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/world-writable-file-read",
+                "name": "java/world-writable-file-read",
+                "shortDescription": {
+                  "text": "Reading from a world writable file"
+                },
+                "fullDescription": {
+                  "text": "Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n",
+                  "markdown": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-732",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/xml/xpath-injection",
+                "name": "java/xml/xpath-injection",
+                "shortDescription": {
+                  "text": "XPath injection"
+                },
+                "fullDescription": {
+                  "text": "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n",
+                  "markdown": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-643",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xslt-injection",
+                "name": "java/xslt-injection",
+                "shortDescription": {
+                  "text": "XSLT transformation with user-controlled stylesheet"
+                },
+                "fullDescription": {
+                  "text": "Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xss",
+                "name": "java/xss",
+                "shortDescription": {
+                  "text": "Cross-site scripting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-079/XSS.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/xxe",
+                "name": "java/xxe",
+                "shortDescription": {
+                  "text": "Resolving XML external entity in user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n",
+                  "markdown": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-611",
+                    "external/cwe/cwe-776",
+                    "external/cwe/cwe-827",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-611/XXE.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/zipslip",
+                "name": "java/zipslip",
+                "shortDescription": {
+                  "text": "Arbitrary file access during archive extraction (\"Zip Slip\")"
+                },
+                "fullDescription": {
+                  "text": "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n",
+                  "markdown": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              }
+            ]
+          },
+          {
+            "name": "codeql/java-all",
+            "semanticVersion": "4.2.0+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          },
+          {
+            "name": "codeql/threat-models",
+            "semanticVersion": "1.0.11+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          }
+        ]
+      },
+      "conversion": {
+        "tool": {
+          "driver": {
+            "name": "GitHub Code Scanning"
+          }
+        }
+      },
+      "versionControlProvenance": [
+        {
+          "repositoryUri": "https://github.com/hintwatermelon/roller",
+          "revisionId": "c5fdfbf0b6cacc8cbaaf65c99ef09f5b784013b7",
+          "branch": "refs/heads/master"
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+            "index": 0
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+            "index": 1
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+            "index": 2
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+            "index": 3
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+            "index": 4
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+            "index": 5
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+            "index": 6
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+            "index": 7
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+            "index": 8
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+            "index": 9
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+            "index": 10
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+            "index": 11
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+            "index": 12
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+            "index": 13
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+            "index": 14
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+            "index": 15
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+            "index": 16
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+            "index": 17
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+            "index": 18
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+            "index": 19
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+            "index": 20
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+            "index": 21
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+            "index": 22
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+            "index": 23
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+            "index": 24
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+            "index": 25
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+            "index": 26
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+            "index": 27
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+            "index": 28
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+            "index": 29
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+            "index": 30
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+            "index": 31
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+            "index": 32
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+            "index": 33
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+            "index": 34
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+            "index": 35
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+            "index": 36
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+            "index": 37
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+            "index": 38
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+            "index": 39
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+            "index": 40
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 133,
+                  "startColumn": 59,
+                  "endLine": 133,
+                  "endColumn": 76
+                }
+              }
+            }
+          ],
+          "correlationGuid": "aa4c5176-3f0c-485c-9bdc-1c9cd2023d09",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a43352b656264e63:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 88
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 59,
+                            "endLine": 133,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "sanetizedFolderID"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/8",
+            "github/alertNumber": 8
+          }
+        },
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9a544acb-9e25-40b7-84ea-6f48b454f3fb",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/9",
+            "github/alertNumber": 9
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1).\nPotential Insecure randomness due to a [Insecure randomness source.](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                  "index": 2
+                },
+                "region": {
+                  "startLine": 121,
+                  "startColumn": 36,
+                  "endLine": 121,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7483e8-25f4-41a7-bc67-785e5ccb280d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ebe2869d4f29cd7e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 161,
+                            "startColumn": 39,
+                            "endLine": 161,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 36,
+                            "endLine": 162,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 39,
+                            "endLine": 110,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 111,
+                            "startColumn": 44,
+                            "endLine": 111,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 161,
+                  "startColumn": 39,
+                  "endLine": 161,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 110,
+                  "startColumn": 39,
+                  "endLine": 110,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/10",
+            "github/alertNumber": 10
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 122,
+                  "startColumn": 29,
+                  "endLine": 122,
+                  "endColumn": 41
+                }
+              }
+            }
+          ],
+          "correlationGuid": "42e549d2-c275-4945-bf40-d6bebb689d9d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a706f813f09b282d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 371,
+                            "startColumn": 39,
+                            "endLine": 371,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 33,
+                            "endLine": 121,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 29,
+                            "endLine": 122,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/11",
+            "github/alertNumber": 11
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 130,
+                  "startColumn": 32,
+                  "endLine": 130,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d090be49-7c07-4548-be1c-d6a277e20f2e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a7e8967f80765bad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 372,
+                            "startColumn": 42,
+                            "endLine": 372,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 36,
+                            "endLine": 129,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 32,
+                            "endLine": 130,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/12",
+            "github/alertNumber": 12
+          }
+        },
+        {
+          "ruleId": "java/unvalidated-url-redirection",
+          "rule": {
+            "id": "java/unvalidated-url-redirection",
+            "index": 66,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Untrusted URL redirection depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5bb7aec0-639e-4365-93a7-e41e00f18ec6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/13",
+            "github/alertNumber": 13
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 188,
+                  "startColumn": 26,
+                  "endLine": 190,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ba9b5766-17b3-4de4-a1b7-79df1e478644",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cccb6385104d4c00:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/14",
+            "github/alertNumber": 14
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 194,
+                  "startColumn": 26,
+                  "endLine": 196,
+                  "endColumn": 61
+                }
+              }
+            }
+          ],
+          "correlationGuid": "6ef05652-94ad-44b8-8e9c-f77e493a8e2d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "df1362749a3e519c:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/15",
+            "github/alertNumber": 15
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 247,
+                  "startColumn": 22,
+                  "endLine": 250,
+                  "endColumn": 28
+                }
+              }
+            }
+          ],
+          "correlationGuid": "e116e0f4-cd03-4270-ab36-3b83f00ee00e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "871c3cf166627615:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/16",
+            "github/alertNumber": 16
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 276,
+                  "startColumn": 23,
+                  "endLine": 276,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "db4c7ae4-0eda-47d9-aa17-02047f46b732",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797cd6a2e95a76a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/17",
+            "github/alertNumber": 17
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 283,
+                  "startColumn": 22,
+                  "endLine": 283,
+                  "endColumn": 44
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f804f4f-770f-4999-b2a6-e36f3f91f614",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d06c87887323661e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/18",
+            "github/alertNumber": 18
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 302,
+                  "startColumn": 23,
+                  "endLine": 302,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ed3376eb-e089-4f43-9bf8-adbd4676887b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797b1b59b078d8f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/19",
+            "github/alertNumber": 19
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 307,
+                  "startColumn": 22,
+                  "endLine": 308,
+                  "endColumn": 68
+                }
+              }
+            }
+          ],
+          "correlationGuid": "47fdf168-4a30-4479-a4ee-b5810a9bee24",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d90bf8993f560aa:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/20",
+            "github/alertNumber": 20
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1).\nCross-site scripting vulnerability due to a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                  "index": 15
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 21,
+                  "endLine": 66,
+                  "endColumn": 56
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1b6fba72-5d1f-48f1-9f91-ddaa6ff07f20",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e41b363d572cf6d8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 26,
+                            "endLine": 72,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 13,
+                            "endLine": 87,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 3,
+                            "endLine": 87,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 73,
+                            "startColumn": 26,
+                            "endLine": 73,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 13,
+                            "endLine": 94,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 3,
+                            "endLine": 94,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 26,
+                  "endLine": 72,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 73,
+                  "startColumn": 26,
+                  "endLine": 73,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/21",
+            "github/alertNumber": 21
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 81,
+                  "startColumn": 37,
+                  "endLine": 81,
+                  "endColumn": 50
+                }
+              }
+            }
+          ],
+          "correlationGuid": "41fb6220-c807-46cf-8acf-a02ad395aa77",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cf23dfd372a61ea3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 81,
+                            "startColumn": 37,
+                            "endLine": 81,
+                            "endColumn": 50
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/22",
+            "github/alertNumber": 22
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 86,
+                  "startColumn": 50,
+                  "endLine": 86,
+                  "endColumn": 63
+                }
+              }
+            }
+          ],
+          "correlationGuid": "19ac3ae8-6aee-4c71-83e5-3ad805b42e72",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "103f70b0007fdfad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 50,
+                            "endLine": 86,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/23",
+            "github/alertNumber": 23
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 112,
+                  "startColumn": 21,
+                  "endLine": 112,
+                  "endColumn": 34
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7ccb79-f108-47d2-ba9c-03ae9ca99d04",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9a91c0ae5a3ea9d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 112,
+                            "startColumn": 21,
+                            "endLine": 112,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/24",
+            "github/alertNumber": 24
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 18
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 48,
+                  "endLine": 147,
+                  "endColumn": 58
+                }
+              }
+            }
+          ],
+          "correlationGuid": "16ab249d-cb7d-4003-bb25-4237836305d5",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77597f482b4d5d50:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 266,
+                            "startColumn": 16,
+                            "endLine": 266,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 30,
+                            "endLine": 139,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "getUploadedFiles(...) : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 147,
+                            "startColumn": 48,
+                            "endLine": 147,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/25",
+            "github/alertNumber": 25
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 18
+                },
+                "region": {
+                  "startLine": 175,
+                  "startColumn": 33,
+                  "endLine": 175,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "485410bf-8cbf-48eb-8680-82e1d52843ff",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "2b2bb9cdd3635201:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 173,
+                            "startColumn": 45,
+                            "endLine": 173,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/26",
+            "github/alertNumber": 26
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 19
+                },
+                "region": {
+                  "startLine": 129,
+                  "startColumn": 49,
+                  "endLine": 129,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "3088f3ec-6971-4d9e-98fc-8f02dfab52c3",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9449418b46954eb:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 21,
+                            "endLine": 125,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 126,
+                            "startColumn": 41,
+                            "endLine": 126,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 47,
+                  "startColumn": 18,
+                  "endLine": 47,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/27",
+            "github/alertNumber": 27
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with 'b' and with many repetitions of 'b'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 62,
+                  "startColumn": 52,
+                  "endLine": 62,
+                  "endColumn": 55
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f63c4a7-4170-47c8-917b-9ca3a0115f38",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f22c138a13ff3a37:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 33,
+                  "endLine": 38,
+                  "endColumn": 51
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/28",
+            "github/alertNumber": 28
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of '
a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 61,
+                  "startColumn": 51,
+                  "endLine": 61,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9b0a3a9-8833-461c-93ec-3a12c3a72f91",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "80ff14788737bca8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 22,
+                  "endLine": 38,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 29,
+                  "endLine": 38,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/29",
+            "github/alertNumber": 29
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of 'a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 57,
+                  "endLine": 68,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9eb5f85-f753-42b1-8c6b-3bd3ef5db56e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d309d833fb2b46b:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 24,
+                  "endLine": 41,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 31,
+                  "endLine": 41,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/30",
+            "github/alertNumber": 30
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 60,
+                  "startColumn": 88,
+                  "endLine": 60,
+                  "endColumn": 90
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/31",
+            "github/alertNumber": 31
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of ' '."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 179,
+                  "startColumn": 68,
+                  "endLine": 179,
+                  "endColumn": 77
+                }
+              }
+            }
+          ],
+          "correlationGuid": "0068dc73-44a6-456e-83a7-5fe04b5899e9",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f7eba83359081407:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 77,
+                  "endLine": 66,
+                  "endColumn": 81
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/32",
+            "github/alertNumber": 32
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of '!'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 235,
+                  "startColumn": 67,
+                  "endLine": 235,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "b4530215-fde8-4f7d-8718-57bc4d310a08",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f77ea2ce3b67490a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 67,
+                  "endLine": 68,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/33",
+            "github/alertNumber": 33
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](2) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](4) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](5) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](6) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](7) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](8) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](8) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 249,
+                  "startColumn": 83,
+                  "endLine": 249,
+                  "endColumn": 93
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ebd7d4fc-18fe-4894-ad98-05b92939b9a6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d2f751956bb0d070:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 19,
+                            "endLine": 66,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 67,
+                            "startColumn": 16,
+                            "endLine": 67,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "getUserName(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 30,
+                            "endLine": 94,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 62,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 109,
+                            "startColumn": 19,
+                            "endLine": 109,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 16,
+                            "endLine": 110,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getOpenIdUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 47,
+                            "endLine": 86,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "openidurl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 30,
+                            "endLine": 131,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 132,
+                            "startColumn": 63,
+                            "endLine": 132,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 73,
+                  "endLine": 70,
+                  "endColumn": 75
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 98,
+                  "endLine": 70,
+                  "endColumn": 103
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 8,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/34",
+            "github/alertNumber": 34
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 290,
+                  "startColumn": 103,
+                  "endLine": 290,
+                  "endColumn": 106
+                }
+              }
+            }
+          ],
+          "correlationGuid": "98c49d16-a691-4397-87d1-0bebd5d9982a",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ea89bbca86ba4590:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/35",
+            "github/alertNumber": 35
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 308,
+                  "startColumn": 40,
+                  "endLine": 308,
+                  "endColumn": 43
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5b53c901-1227-4899-94b0-02de15b8ef1b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7fd366a6b63e95c3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/36",
+            "github/alertNumber": 36
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 36,
+                  "endLine": 49,
+                  "endColumn": 51
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1923e2ac-ef5c-43bf-b786-86bf2b341004",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77bb988d556b367:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/37",
+            "github/alertNumber": 37
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 36,
+                  "endLine": 66,
+                  "endColumn": 38
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f7e56bbc-467c-4e07-a916-b3b3c362a229",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e97d22a8b2a0b291:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/38",
+            "github/alertNumber": 38
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 71,
+                  "startColumn": 36,
+                  "endLine": 71,
+                  "endColumn": 39
+                }
+              }
+            }
+          ],
+          "correlationGuid": "49c124bf-2a10-4623-9976-3376d4c86436",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9713a8da9d6dd391:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/39",
+            "github/alertNumber": 39
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                  "index": 32
+                },
+                "region": {
+                  "startLine": 438,
+                  "startColumn": 48,
+                  "endLine": 438,
+                  "endColumn": 53
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d8bfdf72-6bfc-410e-8a9f-acdb38e8d713",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fca1ccdb5c516f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 55,
+                            "startColumn": 30,
+                            "endLine": 55,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 204,
+                            "startColumn": 16,
+                            "endLine": 204,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 101,
+                            "startColumn": 19,
+                            "endLine": 101,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 16,
+                            "endLine": 102,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this.bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getBannedwordslist(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 427,
+                            "startColumn": 9,
+                            "endLine": 427,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 53,
+                            "endLine": 431,
+                            "endColumn": 83
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 33,
+                            "endLine": 431,
+                            "endColumn": 90
+                          }
+                        },
+                        "message": {
+                          "text": "new StringTokenizer(...) : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "toker : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "nextToken(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 438,
+                            "startColumn": 48,
+                            "endLine": 438,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 55,
+                  "startColumn": 30,
+                  "endLine": 55,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/40",
+            "github/alertNumber": 40
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                  "index": 35
+                },
+                "region": {
+                  "startLine": 230,
+                  "startColumn": 57,
+                  "endLine": 230,
+                  "endColumn": 72
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9d0ad640-089c-4ee1-b3ed-dfbe72c4e5b1",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "248fddc681a75a01:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 43,
+                            "endLine": 63,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 44,
+                            "endLine": 74,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/41",
+            "github/alertNumber": 41
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                  "index": 38
+                },
+                "region": {
+                  "startLine": 57,
+                  "startColumn": 57,
+                  "endLine": 57,
+                  "endColumn": 69
+                }
+              }
+            }
+          ],
+          "correlationGuid": "839215e6-bef4-4426-97bf-80d3555da65d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "c240ab2d5b41ea5f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 23,
+                            "endLine": 72,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 315,
+                            "startColumn": 16,
+                            "endLine": 315,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 223,
+                            "startColumn": 19,
+                            "endLine": 223,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 224,
+                            "startColumn": 16,
+                            "endLine": 224,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "enclosureURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getEnclosureURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 48,
+                            "startColumn": 52,
+                            "endLine": 48,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 65,
+                            "endLine": 57,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 57,
+                            "endLine": 57,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "new URL(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 23,
+                  "endLine": 72,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/42",
+            "github/alertNumber": 42
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 24,
+                  "endLine": 147,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d722e768-31a0-417b-9b87-847c29a58084",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7c1f69188f18e239:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/43",
+            "github/alertNumber": 43
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user.\n[Error information](2) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 221,
+                  "startColumn": 24,
+                  "endLine": 221,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "4df5ee6f-b915-488c-ba43-35a70984f360",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "517a7a49b664a801:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 214,
+                  "startColumn": 21,
+                  "endLine": 214,
+                  "endColumn": 35
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/44",
+            "github/alertNumber": 44
+          }
+        }
+      ],
+      "automationDetails": {
+        "id": ".github/workflows/codeql-analysis.yml:analyze/language:java/"
+      },
+      "properties": {
+        "codeqlConfigSummary": {}
+      }
+    }
+  ]
+}
diff --git a/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-5.sarif b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-5.sarif
new file mode 100644
index 000000000..74eb5c7bd
--- /dev/null
+++ b/plugins/codemodder-plugin-codeql/src/test/resources/conflicting-sarifs/codeql-5.sarif
@@ -0,0 +1,4535 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "semanticVersion": "2.19.3"
+        },
+        "extensions": [
+          {
+            "name": "codeql/javascript-queries",
+            "semanticVersion": "1.2.3+39a67b6e2e6490a9bd010db50e148f647765e9f7",
+            "rules": [
+              {
+                "id": "js/actions/actions-artifact-leak",
+                "name": "js/actions/actions-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in GitHub Actions artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a GitHub Actions artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n",
+                  "markdown": "# Storage of sensitive information in GitHub Actions artifact\nSensitive information included in a GitHub Actions artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a GitHub Actions artifact.\n\n\n## Example\nThe following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \\`.git/config\\` file and then stores the contents of the \\`.git\\` repository into the artifact:\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2\n        with:\n          name: file\n          path: .\n\n```\nThe issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.\n\n\n```yaml\nname: secrets-in-artifacts\non:\n  pull_request:\njobs:\n  a-job: # NOT VULNERABLE\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - name: \"Upload artifact\"\n        uses: actions/upload-artifact@v4\n        with:\n          name: file\n          path: .\n\n\n```\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/actions/command-injection",
+                "name": "js/actions/command-injection",
+                "shortDescription": {
+                  "text": "Expression injection in Actions"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious user to inject code into the GitHub action."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression injection in Actions\nUsing user-controlled input in GitHub Actions may lead to code injection in contexts like *run:* or *script:*.\n\nCode injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.\n\n\n## Recommendation\nThe best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not *${{ env.VAR }}*).\n\nIt is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.\n\n\n## Example\nThe following example lets a user inject an arbitrary shell command:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - run: |\n        echo '${{ github.event.comment.body }}'\n```\nThe following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    -  env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo '${{ env.BODY }}'\n```\nThe following example uses shell syntax to read the environment variable and will prevent the attack:\n\n\n```yaml\non: issue_comment\n\njobs:\n  echo-body:\n    runs-on: ubuntu-latest\n    steps:\n    - env:\n        BODY: ${{ github.event.issue.body }}\n      run: |\n        echo \"$BODY\"\n\n```\n\n## References\n* GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).\n* GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).\n* GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "actions",
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/angular/disabling-sce",
+                "name": "js/angular/disabling-sce",
+                "shortDescription": {
+                  "text": "Disabling SCE"
+                },
+                "fullDescription": {
+                  "text": "Disabling strict contextual escaping (SCE) can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '
  • ' + item.toString() + '
';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('
  • ' + item.toString() + '
'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-116",
+                    "frameworks/angularjs",
+                    "maintainability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DisablingSce.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/angular/double-compilation",
+                "name": "js/angular/double-compilation",
+                "shortDescription": {
+                  "text": "Double compilation"
+                },
+                "fullDescription": {
+                  "text": "Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n",
+                  "markdown": "# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('A tooltip');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1176",
+                    "frameworks/angularjs",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/DoubleCompilation.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/angular/insecure-url-whitelist",
+                "name": "js/angular/insecure-url-whitelist",
+                "shortDescription": {
+                  "text": "Insecure URL whitelist"
+                },
+                "fullDescription": {
+                  "text": "URL whitelists that are too permissive can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n",
+                  "markdown": "# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-183",
+                    "external/cwe/cwe-625",
+                    "frameworks/angularjs",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/bad-code-sanitization",
+                "name": "js/bad-code-sanitization",
+                "shortDescription": {
+                  "text": "Improper code sanitization"
+                },
+                "fullDescription": {
+                  "text": "Escaping code as HTML does not provide protection against code injection."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains ``, then the generated code will break out of a `` if inserted into a `` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/bad-tag-filter",
+                "name": "js/bad-tag-filter",
+                "shortDescription": {
+                  "text": "Bad HTML filtering regexp"
+                },
+                "fullDescription": {
+                  "text": "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n",
+                  "markdown": "# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-080",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-184",
+                    "external/cwe/cwe-185",
+                    "external/cwe/cwe-186",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/BadTagFilter.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/biased-cryptographic-random",
+                "name": "js/biased-cryptographic-random",
+                "shortDescription": {
+                  "text": "Creating biased random numbers from a cryptographically secure source"
+                },
+                "fullDescription": {
+                  "text": "Some mathematical operations on random numbers can cause bias in the results and compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n",
+                  "markdown": "# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-327/BadRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/build-artifact-leak",
+                "name": "js/build-artifact-leak",
+                "shortDescription": {
+                  "text": "Storage of sensitive information in build artifact"
+                },
+                "fullDescription": {
+                  "text": "Including sensitive information in a build artifact can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/case-sensitive-middleware-path",
+                "name": "js/case-sensitive-middleware-path",
+                "shortDescription": {
+                  "text": "Case-sensitive middleware path"
+                },
+                "fullDescription": {
+                  "text": "Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n",
+                  "markdown": "# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-178",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql",
+                  "precision": "high",
+                  "security-severity": "7.3"
+                }
+              },
+              {
+                "id": "js/clear-text-cookie",
+                "name": "js/clear-text-cookie",
+                "shortDescription": {
+                  "text": "Clear text transmission of sensitive cookie"
+                },
+                "fullDescription": {
+                  "text": "Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-311",
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-614/ClearTextCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/clear-text-logging",
+                "name": "js/clear-text-logging",
+                "shortDescription": {
+                  "text": "Clear-text logging of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Logging sensitive information without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n",
+                  "markdown": "# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${process.env}`);\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${not_sensitive_data}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-359",
+                    "external/cwe/cwe-532",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextLogging.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/clear-text-storage-of-sensitive-data",
+                "name": "js/clear-text-storage-of-sensitive-data",
+                "shortDescription": {
+                  "text": "Clear text storage of sensitive information"
+                },
+                "fullDescription": {
+                  "text": "Sensitive information stored without encryption or hashing can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-312",
+                    "external/cwe/cwe-315",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-312/CleartextStorage.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/client-exposed-cookie",
+                "name": "js/client-exposed-cookie",
+                "shortDescription": {
+                  "text": "Sensitive server cookie exposed to the client"
+                },
+                "fullDescription": {
+                  "text": "Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n",
+                  "markdown": "# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('
Hello world
');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1004",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-1004/ClientExposedCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/client-side-unvalidated-url-redirection",
+                "name": "js/client-side-unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "Client-side URL redirect"
+                },
+                "fullDescription": {
+                  "text": "Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/code-injection",
+                "name": "js/code-injection",
+                "shortDescription": {
+                  "text": "Code injection"
+                },
+                "fullDescription": {
+                  "text": "Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-095",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-094/CodeInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "js/command-line-injection",
+                "name": "js/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-078/CommandInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/cors-misconfiguration-for-credentials",
+                "name": "js/cors-misconfiguration-for-credentials",
+                "shortDescription": {
+                  "text": "CORS misconfiguration for credentials transfer"
+                },
+                "fullDescription": {
+                  "text": "Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n",
+                  "markdown": "# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-346",
+                    "external/cwe/cwe-639",
+                    "external/cwe/cwe-942",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/cross-window-information-leak",
+                "name": "js/cross-window-information-leak",
+                "shortDescription": {
+                  "text": "Cross-window communication with unrestricted target origin"
+                },
+                "fullDescription": {
+                  "text": "When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n",
+                  "markdown": "# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-201",
+                    "external/cwe/cwe-359",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-201/PostMessageStar.ql",
+                  "precision": "high",
+                  "security-severity": "4.3"
+                }
+              },
+              {
+                "id": "js/disabling-certificate-validation",
+                "name": "js/disabling-certificate-validation",
+                "shortDescription": {
+                  "text": "Disabling certificate validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling cryptographic certificate validation can cause security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "js/disabling-electron-websecurity",
+                "name": "js/disabling-electron-websecurity",
+                "shortDescription": {
+                  "text": "Disabling Electron webSecurity"
+                },
+                "fullDescription": {
+                  "text": "Disabling webSecurity can cause critical security vulnerabilities."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-79",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/DisablingWebSecurity.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/double-escaping",
+                "name": "js/double-escaping",
+                "shortDescription": {
+                  "text": "Double escaping or unescaping"
+                },
+                "fullDescription": {
+                  "text": "When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&\")\n          .replace(/\"/g, \""\")\n          .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/"/g, \"\\\"\")\n          .replace(/'/g, \"'\")\n          .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/enabling-electron-insecure-content",
+                "name": "js/enabling-electron-insecure-content",
+                "shortDescription": {
+                  "text": "Enabling Electron allowRunningInsecureContent"
+                },
+                "fullDescription": {
+                  "text": "Enabling allowRunningInsecureContent can allow remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n",
+                  "markdown": "# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-494",
+                    "frameworks/electron",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Electron/AllowRunningInsecureContent.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "js/exposure-of-private-files",
+                "name": "js/exposure-of-private-files",
+                "shortDescription": {
+                  "text": "Exposure of private files"
+                },
+                "fullDescription": {
+                  "text": "Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n",
+                  "markdown": "# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-200",
+                    "external/cwe/cwe-219",
+                    "external/cwe/cwe-548",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql",
+                  "precision": "high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-domain",
+                "name": "js/functionality-from-untrusted-domain",
+                "shortDescription": {
+                  "text": "Untrusted domain used in script or other content"
+                },
+                "fullDescription": {
+                  "text": "Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n    \n        Polyfill.io demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n        \n    \n    \n        ...\n    \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n    \n        Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "js/functionality-from-untrusted-source",
+                "name": "js/functionality-from-untrusted-source",
+                "shortDescription": {
+                  "text": "Inclusion of functionality from an untrusted source"
+                },
+                "fullDescription": {
+                  "text": "Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n",
+                  "markdown": "# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n    \n        jQuery demo\n        \n    \n    \n        ...\n    \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-830",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql",
+                  "precision": "high",
+                  "security-severity": "6"
+                }
+              },
+              {
+                "id": "js/hardcoded-credentials",
+                "name": "js/hardcoded-credentials",
+                "shortDescription": {
+                  "text": "Hard-coded credentials"
+                },
+                "fullDescription": {
+                  "text": "Hard-coding credentials in source code may enable an attacker to gain unauthorized access."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n",
+                  "markdown": "# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n          method:'GET',\n          headers: headers\n       })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n        method:'GET',\n        headers: headers\n     })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n  user: \"bob\",\n  host: \"database.server.com\",\n  database: \"mydb\",\n  password: \"correct-horse-battery-staple\",\n  port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-259",
+                    "external/cwe/cwe-321",
+                    "external/cwe/cwe-798",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/host-header-forgery-in-email-generation",
+                "name": "js/host-header-forgery-in-email-generation",
+                "shortDescription": {
+                  "text": "Host header poisoning in email generation"
+                },
+                "fullDescription": {
+                  "text": "Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n",
+                  "markdown": "# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-640",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "js/html-constructed-from-input",
+                "name": "js/html-constructed-from-input",
+                "shortDescription": {
+                  "text": "Unsafe HTML constructed from library input"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/identity-replacement",
+                "name": "js/identity-replacement",
+                "shortDescription": {
+                  "text": "Replacement of a substring with itself"
+                },
+                "fullDescription": {
+                  "text": "Replacing a substring with itself has no effect and may indicate a mistake."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n",
+                  "markdown": "# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/RegExp/IdentityReplacement.ql",
+                  "precision": "very-high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "js/incomplete-hostname-regexp",
+                "name": "js/incomplete-hostname-regexp",
+                "shortDescription": {
+                  "text": "Incomplete regular expression for hostnames"
+                },
+                "fullDescription": {
+                  "text": "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "js/incomplete-html-attribute-sanitization",
+                "name": "js/incomplete-html-attribute-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete HTML attribute sanitization"
+                },
+                "fullDescription": {
+                  "text": "Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `
${getUserName(id) || \"Unknown name\"}
`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-020",
+                    "external/cwe/cwe-079",
+                    "external/cwe/cwe-116",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "js/incomplete-multi-character-sanitization",
+                "name": "js/incomplete-multi-character-sanitization",
+                "shortDescription": {
+                  "text": "Incomplete multi-character sanitization"
+                },
+                "fullDescription": {
+                  "text": "A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/